Defining DevSecOps

•

1 like•414 views

Today everybody wants to deploy the app and infrastructure faster without any disputes. An Even, Agile framework can help to deploy faster in real-time. But Continuous Innovation may conflict with stability and security. Without security at every stage, DevOps merely introduces vulnerabilities into application quickly. To resolve such conflict, the gap in recursive feedback loops need to be eliminated. Mostly, teams are not effectively working in a collaboration and interacting with each other smoothly. This results in gaps and produce problems with code development and quality, meaning slower delivery plans and serious vulnerabilities that create security risk at most. Fortunately, these shortcomings can be addressed very well, as developers/testers are set to launch off into the DevSecOps world or via adopting rugged DevOps model.

Technology

3
Its hard
to answer the
questions
“What's Wrong?”
When
Nothing is Right

DevSECOps History
2004
• DevOps.com Registered
2010
• DevOps rise
2012
• Gartner introduced DevOpsSec and then DevSecOps
2013
• DevSecOps is on our Radar
2016-17
• Where are we?

Desert view
Source: http://www.sorinmustaca.com/scary-to-see-details-of-the-worlds-biggest-data-breaches/

People
• Social Engineering
• Phishing,
spamming
Processes
• Gaps
• Monolithic
approaches
Technology
• Complex systems
• Reusable
components
Hackers’
favorite
https://www.slideshare.net/SeniorStoryteller/the-journey-to-devsecops

Untold Truth
Security teams
comes at last once
risks is announced
occasionally
Hackers can find security
loop holes multiple times
in a day
DevOps teams
make security
decisions along
with CI/CD multiple
times in a day

Shared Security Model
On-Premises Infrastructure Platform Software
Applications Applications Applications Applications
Data Data Data Data
Runtime Runtime Runtime Runtime
Middleware Middleware Middleware Middleware
OS OS OS OS
Virtualization Virtualization Virtualization Virtualization
Servers Servers Servers Servers
Storage Storage Storage Storage
Networking Networking Networking Networking
Managed by YOU Managed by Provider

Communication Flow
Security
OpsDev
Source: Gartner (September 2016)

11Copyright © 2015 Accenture. All rights reserved.
Lets talk from the grounded reality

With a common goal
 Everyone must be a responsible for Security and
everyone one has a role to play!
 A blaming culture is dangerous, Avoid it.
 Reacting can be costlier proposition…have built-in
security
 Continuously Build, Test, Deploy and Improve
 Mistakes happen, but with frequent build…you will get
frequent opportunities to correct the defects
 Protection is Ideal, Detection is a Must

Practice for a DevSecOps
Use IAM and Role based ACL
Follow Simple Risk and Threat Model
Scan Custom Code, Apps and APIs (IAST, SAST, DAST)
Scan for OSS issues in development
Scan for vulnerabilities and correct configurations in all environments
Have Security as a Code!
5x Faster MTTR in blameless teams

Some More practices
Whitelisting on
production systems
•Including container
based systems
Assume Compromise
•Monitor everything
•Design for rapid
detection and
response
Lockdown Production
Infrastructure and
Services
• No SSH, Only
APIs and
scripts
Source: Gartner (September 2016)

Attack Driven Testing
 Server Errors: 500, 501, 502…
 XSS attempts
 Password resets
 Login failures
 Asserts
 Page is not available for Google crawl
 Page requires sign-in
 Port is not open
 Reuse unit tests to test your all Envs.
 Apply antivirus for your code also
 Use post-mortems for each fix
Automate
your
verificatio
n process

16
SecOps
Dev*Ops
OpSec
DevSec*Ops*.*
Rugged DevOps

17
Name: Uchit Vyas
URL: http://www.hellouchit.com
Mail: contact@hellouchit.com
Twitter_Handle: uchit_vyas

What's hot

DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully. Learning Objectives: 1: Identify key principles of DevSecOps and see how it relates to DevOps principles. 2: Analyze common pitfalls and see where integration security takes part in DevSecOps. 3: Demonstrate how to do “Continuous Security” by using a lifecycle approach. (Source: RSA Conference USA 2018)

Dos and Don'ts of DevSecOps

Priyanka Aash

If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk. This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later. This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them. There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.

DevSecOps at Agile 2019

Elizabeth Ayer

PETKO D. PETKOV Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.

DevSecCon London 2018: Open DevSecOps

DevSecCon

Dev secops. Real experience.

Vitaly Balashov

In 2009 Patrick Dubois coined the term "DevOps" when he organised the first "DevOpsDays" In Ghent, Belgium. Since then the term has become a term to explain the collaboration between all organisational stakeholders in IT projects (developers, operations, QA, marketing, security, legal, …) to deliver high quality, reliable solutions where issues are tackled early on in the value stream. But reality shows that many businesses that implement "DevOps" are actually talking about a collaboration between development, QA and operations (DQO). Solutions are being provided but lack the security and/or legal regulations causing hard-to-fix problems in production environments. In this talk I will explain how the original idea of Patrick to include all stakeholders got reduced to development, QA and operations and why it's so difficult to apply security or compliance improvements in this model. I will also talk about ways to make the DQO model welcoming for security experts and legal teams and why "DevSecOps" is now the term to be used to ensure security is no longer omitted from the value process. Finally we'll have a vote if we keep the term "DevOps" as an all-inclusive representation for all stakeholders or if we need to start using "DevSecOps" to ensure the business understands can no longer ignore the importance of security.

DevOps or DevSecOps

Michelangelo van Dam

DevSecOps reference architectures 2018

Sonatype

DevSecOps - The big picture

Stefan Streichsbier

Security in the FaaS Lane

James Wickett

DevSecOps - Building Rugged Software

SeniorStoryteller

DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And really, what makes a good DevSecOp? This talk highlights the seven habits that the high-performing DevSecOp of today (and tomorrow) should develop. Topics range from empathy to lean to system safety with the hope to uncover a new playbook for devs, ops, and security to work together.

The Seven Habits of the Highly Effective DevSecOp

James Wickett

Serverless Security: A How-to Guide @ SnowFROC 2019

James Wickett

RSAC DevSecOpsDays 2018 - We are all Equifax

Sonatype

Benefits of DevSecOps

Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

DevSecOps The Evolution of DevOps

Michael Man

All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table. Presented at OWASP NoVA, Sept 25th, 2018

DevSecOps and the CI/CD Pipeline

James Wickett

How to get the best out of DevSecOps - an operations perspective

Colin Domoney

DevSecOps and the New Path Forward

James Wickett

When a security vulnerability is found, your team needs to be able to address it quickly without having to check and update multiple systems. Watch the accompanying video to see how you can * Automate the creation of defects in HPE Quality Center when vulns are detected by WhiteHat Sentinel * Improve compliance by providing traceability between vulns and their fixes * Enable real-time reporting on status of security vulnerabilities

Painless DevSecOps: Building Security Into Your DevOps Pipeline

Tasktop

Over the past few years, more and more companies are turning to containerized environments to scale their applications. However, keeping containers secure throughout the development life cycle presents many challenges to security and development teams. In order to address them, organizations need to adopt a new set of security processes and tools. This session will focus on the three most vulnerable areas of container security and the best practices to help teams develop and deploy securely. Join Jeffrey Martin, Senior Director of Product at WhiteSource, as he discusses: The top challenges to security in containerized environments How DevSecOps addresses security in containerized environments Tips and tricks for successfully incorporating security into the container lifecycle

Barriers to Container Security and How to Overcome Them

WhiteSource

The Emergent Cloud Security Toolchain for CI/CD

James Wickett

What's hot (20)

Dos and Don'ts of DevSecOps

DevSecOps at Agile 2019

DevSecCon London 2018: Open DevSecOps

Dev secops. Real experience.

DevOps or DevSecOps

DevSecOps reference architectures 2018

DevSecOps - The big picture

Security in the FaaS Lane

DevSecOps - Building Rugged Software

The Seven Habits of the Highly Effective DevSecOp

Serverless Security: A How-to Guide @ SnowFROC 2019

RSAC DevSecOpsDays 2018 - We are all Equifax

Benefits of DevSecOps

DevSecOps The Evolution of DevOps

DevSecOps and the CI/CD Pipeline

How to get the best out of DevSecOps - an operations perspective

DevSecOps and the New Path Forward

Painless DevSecOps: Building Security Into Your DevOps Pipeline

Barriers to Container Security and How to Overcome Them

The Emergent Cloud Security Toolchain for CI/CD

Similar to Defining DevSecOps

SCS DevSecOps Seminar - State of DevSecOps

Stefan Streichsbier

The DevSecOps Builder’s Guide to the CI/CD Pipeline

James Wickett

Dev{sec}ops

Steven Carlson

The Principles of Secure Development - BSides Las Vegas 2009

Security Ninja

HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.

HouSecCon 2019: Offensive Security - Starting from Scratch

Spencer Koch

AllDayDevOps 2019 AppSensor

jtmelton

How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps. You’ll learn: -New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments -Best practices for designing and incorporating an automated approach to application security into your existing development environment -Future development and application security challenges organizations will face and what they can do to prepare

Software Security Assurance for DevOps

Black Duck by Synopsys

Threat Modelling in DevSecOps Cultures

DevOps Indonesia

This presentation looks at the problem of selecting the best programming language and tools to ensure IoT software is secure, robust, and safe. By taking a look at industry best practices and decades of knowledge from other industries (such as automotive and aerospace), you will learn the criteria necessary to choose the right language, how to overcome gaps in developers’ skills, and techniques to ensure your team delivers bulletproof IoT applications.

Programming languages and techniques for today’s embedded andIoT world

Rogue Wave Software

Open source software drives efficiency and innovation, but affects your application stacks and introduces new challenges to keeping them highly available and performing. Find out about the hottest open source options and how they can help your organization achieve better uptime and performance levels. We also explore the tradeoffs of using open source software, how to evaluate and assess the available types, and the potential effects on your applications and infrastructure.

Open source software: The infrastructure impact

Rogue Wave Software

Safely Removing the Last Roadblock to Continuous Delivery

SeniorStoryteller

Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS). This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints. But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal

Threat Stack

Presentation by Shannon Lietz Software needs to be awesome, resilient, available and “secure”, but Security has long been a big roadblock to fast deployments and software improvement. What if it wasn’t? Continuous delivery requires operational functions to shift left and for an iterative approach to be taken. Security has not been easy to shift left and taking an iterative approach requires everyone to take responsibility. With a continuos security approach and everyone in the Software Supply Chain taking on the tasks of including security, its possible to achieve Rugged Software. This talk aims to provide a journey towards this approach and provide the path. Software needs to be awesome, resilient, available and “secure”, but Security has long been a big roadblock to fast deployments and software improvement. What if it wasn’t? Continuous delivery requires operational functions to shift left and for an iterative approach to be taken. Security has not been easy to shift left and taking an iterative approach requires everyone to take responsibility. With a continuos security approach and everyone in the Software Supply Chain taking on the tasks of including security, its possible to achieve Rugged Software. This talk aims to provide a journey towards this approach and provide the path.

2016 - Safely Removing the Last Roadblock to Continuous Delivery

devopsdaysaustin

"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io

How to Get Started with DevSecOps

CYBRIC

The enterprise use of APIs is growing exponentially. Companies face a difficult choice. They must shift towards a software-based, digital approach to service and product delivery – or get left behind. Agile development, business pressure and the complexity of API security have made security teams life very complicated. And to make matters more complicated, the adoption of microservices architectures has multiplied the number of API endpoints that you have to protect. Downside: The more APIs, the higher the security risk! API security flaws are injected at many different levels of the API lifecycle: in requirements, development, deployment and monitoring. It is proven that detecting and fixing vulnerabilities during production or post-release time is up to 30 times more difficult than earlier in the API lifecycle. Security should be easy to considered at requirements phase, applied during development by attaching pre-defined policies to APIs and ensuring that security tests are performed as part of the continuous delivery of the APIs. Upside: We’ll prep you with all the knowledge and tools you need to implement an automated, end-to-end API Security process that will get your dev, sec and ops teams speaking the same language. In this presentation you will learn: Security risks at each stage of the API lifecycle, and how to mitigate them. How to implement an end-to-end automated API security model that development, security and operations teams will love. How to think positive! Why a positive security model works.

The Dev, Sec and Ops of API Security - API World

42Crunch

Pentest is yesterday, DevSecOps is tomorrow

Amien Harisen Rosyandino

For Business's Sake, Let's focus on AppSec

Lalit Kale

The key benefit of DevOps is speed and continuous delivery but with secure DevOps teams often suffer from the notion that there’s a tradeoff between security and speed. However, that is not the scenario always. Prudent use of Security automation allows the teams to maintain both security and speed. The automated security testing makes the security consistent and less vulnerable to human errors. Shifting of the security practices left towards the design phase is a major advantage. It is a big achievement to catch the security loophole at the design or the development phase of a new feature. This is what DevSecOps tooling strategies aim at. Check out this presentation and learn more about integrating security into DevOps with DevSecOps!

DevSecOps: Integrating Security Into DevOps! {Business Security}

Ajeet Singh

In this presentation from the webinar of Security MVP and Microsoft Security Trusted Advisor, Paula Januszkiewicz,get an overview of how privileged access management can help balance DevOps’ need for agility and speed with IT security’s need for visibility, access management, and compliance. Key use cases covered include: • Network Segmentation: Grouping assets, including application and resource servers, into logical units that do not trust one another • Enforcing Appropriate Use of Credentials: IT organizations can leverage these controls to limit lateral movement in the case of a compromise and to provide a secure audit trail • Elimination of Hard-Coded Passwords: Removing hardcoded passwords in DevOps tool configurations, build scripts, code files, test builds, production builds, etc. You can watch the full, on-demand webinar here: https://www.beyondtrust.com/resources/webinar/securing-devops-privileged-access-management/

Securing DevOps through Privileged Access Management

BeyondTrust

Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?

Open Source Defense for Edge 2017

Adrian Sanabria

Similar to Defining DevSecOps (20)

SCS DevSecOps Seminar - State of DevSecOps

The DevSecOps Builder’s Guide to the CI/CD Pipeline

Dev{sec}ops

The Principles of Secure Development - BSides Las Vegas 2009

HouSecCon 2019: Offensive Security - Starting from Scratch

AllDayDevOps 2019 AppSensor

Software Security Assurance for DevOps

Threat Modelling in DevSecOps Cultures

Programming languages and techniques for today’s embedded andIoT world

Open source software: The infrastructure impact

Safely Removing the Last Roadblock to Continuous Delivery

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal

2016 - Safely Removing the Last Roadblock to Continuous Delivery

How to Get Started with DevSecOps

The Dev, Sec and Ops of API Security - API World

Pentest is yesterday, DevSecOps is tomorrow

For Business's Sake, Let's focus on AppSec

DevSecOps: Integrating Security Into DevOps! {Business Security}

Securing DevOps through Privileged Access Management

Open Source Defense for Edge 2017

More from Uchit Vyas ☁

Service api design validation & collaboration

Uchit Vyas ☁

API Design Collaboration

Uchit Vyas ☁

Expectations from Development and Operations groups are high and are measured against time-to-market as key KPI for an organization competitiveness. They are expected to release in quick succession with exceedingly high quality, reliability and repeatability irrespective of the scale of deployment. The Platform is a Deployment Automation platform to deploy and configure simple to complex environments reliably and repeatedly at the click of a button. Installations taking weeks can now happen in minutes – offering HIGH-SPEED deployment automation.

Let’s Democratize Deployments

Uchit Vyas ☁

The Automation Summit is the leading peer-to-peer educational and networking event for IT automation professionals. As an attendee, you’ll learn why today’s automation innovations are critical for your operation. Plan to be part of this year’s knowledge exchange, April 27 at the Park Plaza, Bangalore. It has been aimed to provide IT automation industry a unique platform to converge and showcase its capabilities and products. It also allows managers and engineers working in IT Automation projects to exchange, engage and explore new opportunities.

Scaling with Automation

Uchit Vyas ☁

Hashicorp Products Overview

Uchit Vyas ☁

This is the story of a company that had 10s of customers and were facing severe scaling issues. They approached us. They had a good product predicting a few hundred customers within 6 months. VCs went to them. Infrastructure scaling was the only unknown; funding for software-defined data centers. We introduced Terraform for infrastructure creation, Chef for OS hardening, and then Packer for supporting AWS as well as VSphere. Then, after a few more weeks, when there was a need for faster response from the data center, we went into Serf to immediately trigger chef-clients and then to Consul for service monitoring. Want to describe this journey. Finally, we did the same exact thing in at a Fortune 500 customer to replace 15 year-old scripts. We will also cover sleek ways of dealing with provisioning in different Availability Zones across various AWS regions with Terraform.

Rapid Infrastructure Provisioning

Uchit Vyas ☁

Deployment using aws

Uchit Vyas ☁

Simple Db & Dynamo Db

Uchit Vyas ☁

Cloud

Uchit Vyas ☁

More from Uchit Vyas ☁ (9)

Service api design validation & collaboration

API Design Collaboration

Let’s Democratize Deployments

Scaling with Automation

Hashicorp Products Overview

Rapid Infrastructure Provisioning

Deployment using aws

Simple Db & Dynamo Db

Cloud

Recently uploaded

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Manulife - Insurer Innovation Award 2024

The Digital Insurer

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Real Time Object Detection Using Open CV

Khem

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Recently uploaded (20)

A Year of the Servo Reboot: Where Are We Now?

MINDCTI Revenue Release Quarter One 2024

Manulife - Insurer Innovation Award 2024

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

HTML Injection Attacks: Impact and Mitigation Strategies

Strategies for Landing an Oracle DBA Job as a Fresher

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Tata AIG General Insurance Company - Insurer Innovation Award 2024

Apidays New York 2024 - The value of a flexible API Management solution for O...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Exploring the Future Potential of AI-Enabled Smartphone Processors

Real Time Object Detection Using Open CV

Axa Assurance Maroc - Insurer Innovation Award 2024

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Automating Google Workspace (GWS) & more with Apps Script

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Scaling API-first – The story of a global engineering organization

Defining DevSecOps

1. The Journey To DevSecOps UCHIT VYAS TECHNOLOGY CONSULTING MANAGER ACCENTURE

2. 2 Uchit Vyas (Technology Consulting Manager-FS @ Accenture)

3. 3 Its hard to answer the questions “What's Wrong?” When Nothing is Right

4. DevSECOps History 2004 • DevOps.com Registered 2010 • DevOps rise 2012 • Gartner introduced DevOpsSec and then DevSecOps 2013 • DevSecOps is on our Radar 2016-17 • Where are we?

5. Google Trends: “DevSecOps” Sunny view

6. Desert view Source: http://www.sorinmustaca.com/scary-to-see-details-of-the-worlds-biggest-data-breaches/

7. People • Social Engineering • Phishing, spamming Processes • Gaps • Monolithic approaches Technology • Complex systems • Reusable components Hackers’ favorite https://www.slideshare.net/SeniorStoryteller/the-journey-to-devsecops

8. Untold Truth Security teams comes at last once risks is announced occasionally Hackers can find security loop holes multiple times in a day DevOps teams make security decisions along with CI/CD multiple times in a day

9. Shared Security Model On-Premises Infrastructure Platform Software Applications Applications Applications Applications Data Data Data Data Runtime Runtime Runtime Runtime Middleware Middleware Middleware Middleware OS OS OS OS Virtualization Virtualization Virtualization Virtualization Servers Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking Managed by YOU Managed by Provider

10. Communication Flow Security OpsDev Source: Gartner (September 2016)

12. With a common goal  Everyone must be a responsible for Security and everyone one has a role to play!  A blaming culture is dangerous, Avoid it.  Reacting can be costlier proposition…have built-in security  Continuously Build, Test, Deploy and Improve  Mistakes happen, but with frequent build…you will get frequent opportunities to correct the defects  Protection is Ideal, Detection is a Must

13. Practice for a DevSecOps Use IAM and Role based ACL Follow Simple Risk and Threat Model Scan Custom Code, Apps and APIs (IAST, SAST, DAST) Scan for OSS issues in development Scan for vulnerabilities and correct configurations in all environments Have Security as a Code! 5x Faster MTTR in blameless teams

14. Some More practices Whitelisting on production systems •Including container based systems Assume Compromise •Monitor everything •Design for rapid detection and response Lockdown Production Infrastructure and Services • No SSH, Only APIs and scripts Source: Gartner (September 2016)

15. Attack Driven Testing  Server Errors: 500, 501, 502…  XSS attempts  Password resets  Login failures  Asserts  Page is not available for Google crawl  Page requires sign-in  Port is not open  Reuse unit tests to test your all Envs.  Apply antivirus for your code also  Use post-mortems for each fix Automate your verificatio n process

16. 16 SecOps Dev*Ops OpSec DevSec*Ops*.* Rugged DevOps

17. 17 Name: Uchit Vyas URL: http://www.hellouchit.com Mail: contact@hellouchit.com Twitter_Handle: uchit_vyas

18. Questions?

Defining DevSecOps

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Defining DevSecOps

Similar to Defining DevSecOps (20)

More from Uchit Vyas ☁

More from Uchit Vyas ☁ (9)

Recently uploaded

Recently uploaded (20)

Defining DevSecOps