<img height="1" width="1" style="display:none" src="https://alb.reddit.com/snoo.gif?q=CAAHAAABAAoACQAAACi3UkU6AA==&amp;s=hMfJ_f7PVQOiL2csDznj0MZz_-_Sym2oeAYASWsHW4c=">

DevSecOps

Explore DevSecOps tools and techniques needed to maintain quality and security at high velocity.

Madhu Akula.png

Modern Security Operations (aka Secure DevOps): Madhu Akula

This talk is focused on the what, why and the how of running security operations in the modern world. The way attacks are changing and developers are moving ahead with the next generation technologies is blazingly fast. However, traditional operations still exist. It then becomes imperative to make changes in the way security operations should run to defend against attackers and work with developers and modern businesses. In this talk, we will see what are the real world problems faced by organisations, how we can rapidly adapt to changes by modifying the culture and methodologies while relying on processes, tools and techniques.

ABN AMRO Transforms with CI/CD to Accelerate Software Delivery and Improve Security: Stefan Simenon

The focus will be how to deal with automated code quality, secure coding and OSS library management in CI pipelines. ABN AMRO Bank is focusing on code quality and secure coding. This talk will explain how this is implemented in CI pipelines and what governance is implemented to ensure security.
fabian.png

DevSecOps and the DevOps Superpattern: Helen Beal

DevOps has become so much more than just a way to help IT development and operations teams work better together. It has broadened to include the whole business value stream and may be better expressed as BizIT. The DevOps Superpattern seeks to express how many systems of thinking are evolving and converging to produce a set of best practices that aid us in delivering better outcomes to customers, faster and more safely. Safety Culture is a critical converging strand and one that drives DevSecOps capability ensuring the right levels of governance are in place to mitigate risk around failure, including cyber-security.
Chris Swan (1).png

Continuous Patch and Security Assessment with InSpec: Christoph Hartmann

InSpec’s DSL is a human and machine-readable assessment language that is extendable and customizable. Since testing can be fully automated with InSpec, companies are enabled to assess and enforce secure configuration across their IT fleet. Integration with CI/CD systems allows continuous testing in high-velocity organizations. This talk will give an introduction to InSpec and demonstrate how patch and security level can be assessed in CI/CD and production environments.
Simon Bennetts.png

Testing Docker Images Security: Jose Manuel Ortega

In this talk, we present the lessons learned of security reviews on docker images deployments. First, we give an overview of a typical process docker deployment. Second, we explain the attack surface and threats over docker images. Third, we present how we can detect vulnerabilities in source images with code analysis techniques. We conclude with best practices explaining how to remediate these vulnerabilities.
Hasan Yasar2.png

A Tale of Three Horses: Stefan Streichsbier

We all envy the unicorns like Amazon, Netflix, and Google. They have it all figured out and are light years ahead of the rest of the pack. However, most traditional organizations, which are called horses, have a hard time adopting Agile and DevOps approaches. This talk will explore security challenges that common organizations encounter as part of their digital transformation journey and show that DevOps is a perfect opportunity to embed security throughout this journey.
Andrey Utis.png

The DevSecOps Dilemma: Chris Corriere

This presentation will discuss a Nash equilibrium forming as a result of the tension between security and high trust devOps environments, the complementary set operations found outside the equilibria, and provide ecological examples of these adaptations. We’ll also take a look at the technologies we need to automate our environments & how moving with agility ends up making us safer in the long run.

Securing Modern Applications: Mike Douglas

In this seminar, we will discuss: · The importance of addressing security through the entire development process · Using OpenID Connect and OAuth 2.0 in modern application architecture with JavaScript frameworks like Angular 2 with social and enterprise identity providers · How to architect your application to detect and prevent vulnerabilities including the OWASP Top 10 and Open Source Components · How to verify code is secure during development by running automated penetration tests as part of your CI/CD process.

Automating Security in DevOps – Security in the Pipeline: DJ Schleen

In this seminar, we will discuss: · The importance of addressing security through the entire development process · Using OpenID Connect and OAuth 2.0 in modern application architecture with JavaScript frameworks like Angular 2 with social and enterprise identity providers · How to architect your application to detect and prevent vulnerabilities including the OWASP Top 10 and Open Source Components · How to verify code is secure during development by running automated penetration tests as part of your CI/CD process.

Why Is DevOps Not DevSecOps? Joseph Feiman

DevOps has not yet become DevSecOps, leaving DevOps insecure. What is preventing security from integration into DevOps? This presentation offers the answer. It defines capabilities that application security should adopt, explains how existing technologies should change, forecasts emerging technologies, and estimates the pace of application security transformation in the era of DevOps. In this presentation, we prove that DevSecOps is in need of technologies with specific features and technologies that application development, operation, and security specialists have to learn, see, or run. Only these technologies will seamlessly integrate into DevOps, making it DevSecOps. We name these technologies, forecast the pace of their adoption, and evaluate benefits of adopting one technology versus another.
seandmack2-1.png

We Are All Equifax: The Data Behind DevSecOps: Derek Weeks

This session aims to enlighten DevOps teams, security and development professionals by sharing results from the 2017 State of the Software Supply Chain Report -- a blend of public and proprietary data with expert research and analysis. Throughout the discussion, I will share lessons that Deming employed decades ago to help us accelerate adoption of the right DevSecOps culture, practices, and measures today. Attend this session and leverage the insights to understand how your organization's application DevOpsSec practices compare to others. We'll share the industry benchmarks to take back and discuss with your DevOps, development and security teams.

Escrow: How To Share Secrets: Kyle Rockman

Let’s face it - application configuration via environment variables is hard. This is why at Under Armour we decided it was worth reducing the barrier to entry. Enter Escrow, a way to compose and share hierarchical environment variable configuration to make updating hundreds of mirco services easy. Here at Under Armour we wanted to avoid these pitfalls, while still being able to scale out usage to everyone in the organization, all while making it easy to share environment variables and to make the updating process more transparent and easy.
Damon Edwards.png

A DevOps State of Mind: Continuous Security with DevSecOps + Containers: Chris Van Tuin

Is your organization ready to address the security risks with containers for your DevOps environment? Learn about the top security risks with containers and how to incorporate security best practices at scale with DevSecOps. With the rise of DevOps, containers are at the brink of becoming a pervasive technology in Enterprise IT to accelerate application delivery for the business. When it comes to adopting containers in the enterprise, Security is the highest adoption barrier.
SON_ADDO_cercle4 copy.png

Security In The Land of Microservices: Jack Mannino

Using real-world examples of successes and failures while building a microservice architecture, we will discuss what translates well from monolithic design to microservices, and the bad habits you should leave behind. We will demonstrate how to build authentication into a microservice architecture and how to implement a granular authorization scheme that will work effectively as you introduce new services. At the end of this presentation, you’ll understand what separates microservices from traditional monolithic applications and understand the problem space from a secure architectural perspective.
George Miranda.png

Build It and They Will Come-pliant: DevSecOps in the Real World: Julie Tsai

This tak will focus on real world examples on using Security/Compliance to drive DevOps practices, and vice versa. Availability, security, compliance can come together in workflows that sing. Bring security and configuration management upstream into your development and operations ways-of-working. Transcending old silos becomes a joyful habit benefiting the customer, the business — and your quality of worklife.
ian.png

DevOps: A How-To for Agility with Security: Murray Goldschmidt

This presentation will cover advanced techniques on security automation across the service delivery lifecycle including static and dynamic code analysis, continuous monitoring for infrastructure and platform vulnerability management. The model addresses cybersecurity threats across various attack vectors including hacking, insider threats and denial of service.
Justin Collins.png

Secure DevOps for Enterprise Cloud Apps: Insights and Lessons Learned: Sudhindranath Byna

At Microsoft IT, we have been through an adventurous journey in migrating enterprise line of business applications to the cloud. In the process, we ‘left-shifted’ security and empowered teams to become self-sufficient. In the session, we will share our experiences implementing the above framework in the context of real line of business application scenarios. We will also demonstrate the cumulative risk reduction that was achieved coupled with improvements in efficiency. We will end with key insights and lessons learned from the experience.
Zane Lackey.png

Secure DevOps for Enterprise Cloud Apps: Insights and Lessons Learned: Manish Prabhu

Manish owns defining and delivering secure devops for the cloud transformation for Microsoft IT. Manish has been driving the effort to create engineering tools, automation and guidance that can enable secure dev ops in Azure and accelerate cloud transformation for an enterprise. Manish has been at Microsoft for 21 years and has worked in Information Security since 2001. His security experience ranges from designing security of enterprise servers such as BizTalk, Commerce, Host Integration Servers, embedded systems such as Microsoft Automotive Embedded (Blue-&-Me and Ford SYNC), line of business IT solutions for HR, Sales, Marketing, etc. and as a consultant for Microsoft's global partners and customers. Manish has taught undergraduate and postgraduate courses in software security to engineering students. In his early years at Microsoft, Manish was a developer in the COM/COM+ and .Net Runtime (CLR) teams where he worked in the field of distributed objects and remoting.

Tyro Payments: Securing Australia's Newest Bank: Edwin Kwan

As Australia's Newest Bank, we need to innovate and move fast. We use an Agile methodology, build the NextGen Bank on a micro-services architecture and do continuous releases. Doing this securely, without making security a bottle neck, presents a unique challenge. In this presentation, Edwin Kwan, will talk about Tyro's SSDLC (Secure Software Development Life Cycle) security journey. He will be talking about the security approaches that were taken, sharing what worked well, what didn't work (and why) and what they are trying now.

Remove Developers' Shameful Secrets: Fabian Lim

I started out with one goal: to eliminate hard coded secrets in code repository. I’ve searched a long time to find a process / solution. There are many secret management tools out there but none talks in details about what is the secret sauce to integrating them into your DevOps pipeline. For this talk, I will do a short demo using some (or one) of these secret management tools to automate security into CICD, building on my previous workflow.

0 to 60 Researchers - Jumpstarting a Bug Bounty Program: Ty Sbano

Join Lending Club’s Director of Application Security, Ty Sbano, and Lending Club’s Bug Bounty Program Engineer, Wendy Zenone, as they provide details of their nine-month journey of going from zero to sixty security researchers. Lending Club’s tech organization applies an Agile mindset and DevOps practices and integrating a private bug bounty program came with a few takeaways. The Lending Club Application Security team will discuss how they integrated another layer of security, provide a dose of reality to their secure software development lifecycle and helped foster a strong relationship with the security researcher community.