DevOps AppSec Pipeline Velcocity NY 2015

•Als PPTX, PDF herunterladen•

1 gefällt mir•1,008 views

Practical methodology and example for building out an application security program using DevOps principles. Need to scale out your program but don't have the resources? Find out how we quadrupled our output in one year without adding more security resources. #rugged #devops #appsec

Technologie

Building an AppSec Pipeline:
Keeping your program, and
your life, sane
Aaron Weaver
Protiviti
Matt Tesauro
Pearson

Henry Ford: The sponsor of the
development of the assembly line

The Phoenix Project
3 Ways of DevOps
Strategies for Improving
Operations

#1 - Workflow
Look at your purpose and those
processes which aid it

#2 - Improve Feedback
Open yourself to upstream
and downstream information

#3 - Continual
Experimentation & Learning
Create a culture of innovation
and experimentation

Spending time
optimizing anything
other than the critical resource is
an illusion.

For AppSec
the critical resource is
the people.

Pipeline - Intake
▪ “First Impression”
▪Major categories of Intake
- Existing App
- New App
- Previously tested App
- App to re-test findings
▪Key Concepts
- Ask for data about Apps only once
- Have data reviewed when an App returns
- Adapt data collected based on broad
categories of Apps

Pipeline - Test
▪Inbound request triage
▪Ala Carte App Sec
- Dynamic Testing
- Static Testing
- Re-Testing mitigated findings
- Mix and match based on risk
▪Key Concepts
- Activities can be run in parallel
- Automation on setup, configuration, data
export
- People focus on customization rather than

Pipeline - Deliver
▪Source of truth for all AppSec Activities
▪ThreadFix is used to
- Dedup / Consolidate findings
- Normalize scanner data
- Generate Metrics
- Push issues to bug trackers
▪Report and metrics automation
- REST + tfclient
▪Source of many touch points with external
teams

Application Security Tools Orchestration
Automate Security Tooling

Integrating into the DevOps Pipeline
DevOps Pipeline AppSec Pipeline

Dev & AppSec Tool Integration
OWASP ZAP
Proxy
BuildManageCode Store
RAPTOR
Deploy
OWASP ZAP
Proxy
*Not a comprehensive list. The OWASP DevOps AppSec Pipeline will have a complete listing.

Bag of Holding
aka BoH
github.com/PearsonEducation/bag-of-holding

What does BoH do?
▪Manages our Application Security Program
▪Application Repository
▪Engagement Tracking
▪Report Repository
▪Comments on any application, engagement or activity
▪Data Classification and PII data
▪Time taken on secure software activities
▪Historical knowledge of past assessments
▪Credential repository
▪Environment details

Scheduling of Secure Software Activities

Your command line where you have your conversations.

Threadfix Integration
And more:
Create an Application
Get Summary Metrics for
AppSec Program

BOH/Threadfix/Static Integration
Setup recurring static analysis in about 1 minute!

https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

Thanks!
Aaron Weaver
@weavera
aaron.weaver@owasp.org
aaron.weaver2@gmail.com
/in/aweaver
Matt Tesauro
@matt_tesauro
matt.tesauro@owasp.org
mtesauro@gmail.com
/in/matttesauro
github.com/mtesauro

Weitere ähnliche Inhalte

Was ist angesagt?

Any optimization outside the critical constraint is an illusion. In DevSecOps , the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This talk provides an overview of key DevSecOps automation principles and provide real world experiences of creating DevSecOps Pipeline’s augmented with automation in multiple enterprises. Getting started can feel overwhelming but this talk provides coverage of the fundamental building blocks of adding automation to an DevSecOps program including API integration, webhooks, Docker, ChatOps and a vulnerability repository to manage all the issues discovered. The talk covers how DevSecOps automation has provided significant increases in productivity at several different companies in different verticals. Multiple potential architectures for DevSecOps automation will be covered with the goal of inspiring the audience to adopt one of these for their program. By taking an example, customizing it to fit their situation, attendees will have a roadmap to start their security automation journey.

Continuous Security: Using Automation to Expand Security's Reach

Matt Tesauro

Are you currently running at AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible? The AppSec team and the business created an AppSec Pipeline to handle the work flow. The pipeline starts with “Bag of Holding”, an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place.

Building an AppSec Pipeline: Keeping your program, and your life, sane

weaveraaaron

You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools needed to actually start that testing? This talk does exactly that. It provides an overview of the open source AppSec Pipeline tool which has been used in real world companies to do real security work. Beyond a stand alone tool, the OWASP AppSec Pipeline provides numerous docker containers ready to automate, a specification to customize with the ability to create your own implementation and references to get you started. The talk will also cover how to add an AppSec Pipeline to your team’s arsenal and provide example templates of how best to run the automated tools provided. Finally, we’ll briefly cover using OWASP Defect Dojo to store and curate the issues found by your AppSec Pipeline. The goal of this talk is to share the field-tested methods of two AppSec professionals with nearly 20 years of experience between them. If you want to start your DevSecOps journey by continuously testing rather then hear about it, this talk is for you.

Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...

Matt Tesauro

Automating OWASP Tests in your CI/CD

rkadayam

Software development continues to move faster with the rise of Agile, DevOps, and CI/CD, while traditional AppSec continues with slow delivery and failure to scale. In this talk, we’ll discuss lessons learned from forward thinking software development at a multitude of companies, and show you how to apply them to your org. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec program and ascend out of traditional AppSec pitfalls. My talk from Secure Coding Virtual Summit (2021-03-24)

Taking the Best of Agile, DevOps and CI/CD into security

Matt Tesauro

AppSec is Eating Security

Alex Stamos

Succeeding-Marriage-Cybersecurity-DevOps final

rkadayam

With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.

AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program

Denim Group

SecDevOps Risk Workflow - v0.6

Dinis Cruz

Integrating DevOps and Security

Stijn Muylle

This talk instills the lessons learned from multiple security automation efforts and the key elements needed to be successful. Success across multiple dimensions is covered including increasing team throughput, engaging and supporting external teams, The idea is to give the audience a leg up on starting a DevSecOps program and allowing them to skip some painful lessons. Instead, they can focus on getting the key pieces in place and reaping the rewards of DevSecOps quickly. Several real-world examples (and metrics) will be provided to demonstrate why you want to start a DevSecOps journey.

DevSecOps Fundamentals and the Scars to Prove it.

Matt Tesauro

Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security: Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities Examples of security automation, case situations minimizing risk and driving flexibility for DevOps See how SaaS provider CloudPassage integrates security into its own development and operations workflows

SecDevOps: The New Black of IT

CloudPassage

DevSecOps - Building Rugged Software

SeniorStoryteller

we45 SecDevOps Presentation - ISACA Chennai

Abhay Bhargav

Embracing the Rise of SecDevOps

Tom Cappetta

we45’s SecDevOps and Security Automation Framework (2SAF) aims at decreasing mean time to product deployment with reduced operational resources – with the inclusion of relevant custom product security controls. The 2SAF enables engineering teams to implement a customized automated and threat modeled penetration testing model for every release of the produce lifecycle. Our powerful Review – Train – Study model has enabled engineering and DevOps teams to implement 2SAF within weeks to a fully operational and measurable working framework.

we45 - SecDevOps Concept Presentation

Abhay Bhargav

Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive. Key Takeaways: -Great places in the user journey to inject security tests - Ways to augment existing test approaches to cover security concerns - Typical security tools that are free, cheap, and easy for software testers

Zen and the art of Security Testing

TEST Huddle

Not every continuous delivery (CD) initiative starts with someone saying “Drop everything. We’re going to do DevOps.” Sometimes, you have to grow your process incrementally. And sometimes you don’t set out to grow at all—you are just fixing problems with your process, trying to make things better. Gene Gotimer discusses techniques and the chain of tools he has used to bring a DevOps mindset and CD practices into a legacy environment. Gene discusses how his team started fixing problems and making process improvements in development. From there, they tackled one problem after another, each time making the release a little better and a little less risky. They incrementally brought their practices through other environments until the project was confidently delivering working and tested releases every two weeks. Gene shares their journey and the tools they used to build quality into the product, the releases, and the release process.

Continuous Delivery in a Legacy Shop - One Step at a Time

Gene Gotimer

Application Security at DevOps Speed - DevOpsDays Singapore 2016

Stefan Streichsbier

DevSecOps - It can change your life (cycle)

Qualitest

Was ist angesagt? (20)

Continuous Security: Using Automation to Expand Security's Reach

Building an AppSec Pipeline: Keeping your program, and your life, sane

Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...

Automating OWASP Tests in your CI/CD

Taking the Best of Agile, DevOps and CI/CD into security

AppSec is Eating Security

Succeeding-Marriage-Cybersecurity-DevOps final

AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program

SecDevOps Risk Workflow - v0.6

Integrating DevOps and Security

DevSecOps Fundamentals and the Scars to Prove it.

SecDevOps: The New Black of IT

DevSecOps - Building Rugged Software

we45 SecDevOps Presentation - ISACA Chennai

Embracing the Rise of SecDevOps

we45 - SecDevOps Concept Presentation

Zen and the art of Security Testing

Continuous Delivery in a Legacy Shop - One Step at a Time

Application Security at DevOps Speed - DevOpsDays Singapore 2016

DevSecOps - It can change your life (cycle)

Andere mochten auch

Automated Security Testing

seleniumconf

Security testing is an important part of any (agile) secure software development lifecyle. Still, security testing is often understood as an activity done by security testers in the time between "end of development" and "offering the product to customers." Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, we believe that security testing should be integrated into the daily development activities. To achieve this, we developed a security testing strategy, as part of SAP's security development lifecycle which supports the specific needs of the various software development models at SAP. In this presentation, we will briefly presents SAP's approach to an agile secure software development process in general and, in particular, present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools.

Agile Secure Software Development in a Large Software Development Organisatio...

Achim D. Brucker

Continous Integration of (JS) projects & check-build philosophy

François-Guillaume Ribreau

Pythonista も ls を読むべきか？

Katsunori FUJIWARA

Measuring the effectiveness of any security activity is widely discussed – security leaders debate the topic with a religious fervor rivaling that of any other hot button issue. Virtually every organization has some sort of application security training effort, but data on training effectiveness remains scarce. Last year our research team delivered the first-ever survey that captured developer awareness of secure coding concepts and the impact of formal application security training on a developer’s ability to write secure code. We learned that most software developer were aware of certain application security concepts, yet when asked how to write more secure code, they faired poorly. This year’s 600-developer survey provides more quantitative data on what software developers understand about application security, both concepts and practices. It dives most deeply into awareness of defensive coding practices, which most developers largely did not grasp in the 2013 survey. It also is separates respondents by roles, so we can better understand how architects, developers, and QA staff grasp key application security concepts and put them to work. It better captures how software developers learn in general, so one can tailor any security training effort to how software developers, in practice, actually learn. This information will provide data to application security managers responsible for corporate security training that should allow them them to make more fact-based decisions about security training.

AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data

Denim Group

Rugged DevOps: Bridging Security and DevOps

James Wickett

Security testautomation

Linkesh Kanna Velu

Continuous Security Testing in a Devops World #OWASPHelsinki

Stephen de Vries

Cybersecurity by the numbers

APNIC

Threat Modeling And Analysis

Lalit Kale

Continuous and Visible Security Testing with BDD-Security

Stephen de Vries

Two models for running automated security tests in a CI/CD pipeline: either blocking or parallel security tests Integration depends on the level of cultural integration of security into DevOps. 3 Models of test ownership: 1. Owned by Security team - least desirable 2. Owned by DevOps, overseen by security - better 3. Owned by SecDevOps, look Ma, no silos. Overview of BDD-Security Configuring Jenkins with BDD-Security as inline tests

Automating security tests for Continuous Integration

Stephen de Vries

By Bill Estrem, MN Chapter Conference 11/15/2013 Get Lucky: Building Risk Management into Enterprise Architecture This presentation will examine how enterprise architects can apply risk management capabilities to the development and operation of an enterprise architecture. The approach incorporates the TOGAF 9 Risk Management framework along with other risk management methods. In particular, the approach will focus on the The Open Group Risk Management Taxonomy and Risk Assessment standard. Bill Estrem - President of Metaplexity Associates LLC

Building Risk Management into Enterprise Architecture

iasaglobal

Integración contínua con Jenkins

César Hernández

If you're trying to figure out how to run enterprise applications and services on AWS securely, come join Intuit and the AWS Professional Services team to learn how to embrace a new discipline called DevSecOps. You'll learn more about software-defined security and why we think that DevSecOps helps organizations large and small adopt cloud services at a rapid pace. We'll provide you with links and information to help you get started with creating your own DevSecOps team.

(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014

Amazon Web Services

OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images. This presentation provides an overview and history of OWASP WTE. Additionally, it shows new OWASP WTE developments including the the ability to use WTE remotely by installing it on a cloud-based server.

OWASP WTE - Now in the Cloud!

Matt Tesauro

Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches. We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing. http://lascon.org http://lascon2015.sched.org/event/175e3c828095386b2fa0fc660b2502a3

New Farming Methods in the Epistemological Wasteland of Application Security

James Wickett

Real World Application Threat Modelling By Example

NCC Group

DevSecOps: Taking a DevOps Approach to Security

Alert Logic

Continuous Security Testing - DevSecCon

Stephen de Vries

Andere mochten auch (20)

Automated Security Testing

Agile Secure Software Development in a Large Software Development Organisatio...

Continous Integration of (JS) projects & check-build philosophy

Pythonista も ls を読むべきか？

AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data

Rugged DevOps: Bridging Security and DevOps

Security testautomation

Continuous Security Testing in a Devops World #OWASPHelsinki

Cybersecurity by the numbers

Threat Modeling And Analysis

Continuous and Visible Security Testing with BDD-Security

Automating security tests for Continuous Integration

Building Risk Management into Enterprise Architecture

Integración contínua con Jenkins

(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014

OWASP WTE - Now in the Cloud!

New Farming Methods in the Epistemological Wasteland of Application Security

Real World Application Threat Modelling By Example

DevSecOps: Taking a DevOps Approach to Security

Continuous Security Testing - DevSecCon

Ähnlich wie DevOps AppSec Pipeline Velcocity NY 2015

Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest

Matt Tesauro

Building an Open Source AppSec Pipeline

Matt Tesauro

A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities. This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.

Monitoring Application Attack Surface and Integrating Security into DevOps Pi...

Denim Group

Alten calsoft labs enterprise app store framework

Sandeep Vyas

CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...

PROIDEA

Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“. AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.

Lessons from DevOps: Taking DevOps practices into your AppSec Life

Matt Tesauro

Wouldn’t it be good to know how your application or service is being used and is performing while its running live? It is essential to have more insights into the running application as the cycle time for delivering new features and releases speed up. We will cover how to detect, triage and diagnose different scenarios and provide the necessary input to quickly and correctly act to resolve situations. The focus is on web applications or services running on-premise or hosted in the cloud.

Performance monitoring in a DevOps World

Solidify

Developing Highly Instrumented Applications with Minimal Effort

Tim Hobson

Achieve AI-Powered API Privacy using Open Source

Gianluca Brigandi

There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code. This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.

The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...

Denim Group

Developers want to write code and security testers want to break it and both groups have specialized tools supporting these goals. The problem is – security testers need to know more about application code to do better testing and developers need to be able to quickly address problems found by security testers. This presentation looks at both groups and their respective toolsets and explores ways they can help each other out. Two different interactions are examined: • How can knowledge of code make application scanning better? • How can application scan results be mapped back to specific lines of code? Using open source examples built on OWASP ZAP, ThreadFix and Eclipse, the presentation walks through the process of seeding web applications scans with knowledge gleaned from code analysis as well as the mapping of dynamic scan results to specific line of code. The end result is a combination of testing and remediation workflows that help both security testers and software developers be more effective. Particular attention is give to Java/JSP applications and Java/Spring applications and how teams using these frameworks can best benefit from these interactions.

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...

Denim Group

Splunk Data Onboarding Overview - Splunk Data Collection Architecture

Splunk

[Wroclaw #5] OWASP Projects: beyond Top 10

OWASP

DevOps and Application Delivery for Hybrid Cloud - DevOpsSummit session

Sanjeev Sharma

Process Tempo + Neo4j API Security Brief

Neo4j

Splunk MINT and Stream Breakout

Splunk

This webinar demonstrates how organizations can use the ThreadFix application vulnerability resolution platform to improve vulnerability resolution time and protect applications with Prevoty's RASP technology. Join Denim Group CTO and Principal Dan Cornell and Prevoty VP, Marketing and Product, Arpit Joshipura for a free webinar to learn more about these tools that can help application security teams. This webinar provides an overview how to use ThreadFix and Prevoty's RASP to run a high-efficiency, high visibility application security program.

Running a High-Efficiency, High-Visibility Application Security Program with...

Denim Group

DevOps : Integrate, Deliver and Deploy continuously with Visual Studio Team S...

BAINIDA

Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0

minseok kim

Far too often application security decisions are made in an ad hoc manner and based on little or no data. This leads to an inefficient allocation of scarce resources. To move beyond fear, uncertainty and doubt, organizations must adopt an approach to application risk management based on a structured process and quantitative data. This presentation outlines such an approach for organizations to enumerate all the applications in their portfolio. It then goes through background information to collect for each application to support further decision-making. In addition, the presentation lays out an application risk-ranking framework allowing security analysts to quantitatively categorize their application assets and then plan for assessment activities based on available budgets. This provides the knowledge and tools required for them to use the approach on the applications they are responsible for in their organization. Please email dan _at_ denimgroup dot com for a template spreadsheet and a how-to guide.

Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers

Denim Group

Ähnlich wie DevOps AppSec Pipeline Velcocity NY 2015 (20)

Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest

Building an Open Source AppSec Pipeline

Monitoring Application Attack Surface and Integrating Security into DevOps Pi...

Alten calsoft labs enterprise app store framework

CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...

Lessons from DevOps: Taking DevOps practices into your AppSec Life

Performance monitoring in a DevOps World

Developing Highly Instrumented Applications with Minimal Effort

Achieve AI-Powered API Privacy using Open Source

The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...

Splunk Data Onboarding Overview - Splunk Data Collection Architecture

[Wroclaw #5] OWASP Projects: beyond Top 10

DevOps and Application Delivery for Hybrid Cloud - DevOpsSummit session

Process Tempo + Neo4j API Security Brief

Splunk MINT and Stream Breakout

Running a High-Efficiency, High-Visibility Application Security Program with...

DevOps : Integrate, Deliver and Deploy continuously with Visual Studio Team S...

Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0

Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers

Kürzlich hochgeladen

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

Architecting Cloud Native Applications

WSO2

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Exploring Multimodal Embeddings with Milvus

Zilliz

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

Kürzlich hochgeladen (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Apidays New York 2024 - The value of a flexible API Management solution for O...

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Corporate and higher education May webinar.pptx

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

[BuildWithAI] Introduction to Gemini.pdf

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

MS Copilot expands with MS Graph connectors

Understanding the FAA Part 107 License ..

Architecting Cloud Native Applications

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

presentation ICT roal in 21st century education

CNIC Information System with Pakdata Cf In Pakistan

How to Troubleshoot Apps for the Modern Connected Worker

Boost Fertility New Invention Ups Success Rates.pdf

Exploring Multimodal Embeddings with Milvus

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Introduction to Multilingual Retrieval Augmented Generation (RAG)

DevOps AppSec Pipeline Velcocity NY 2015

1. Building an AppSec Pipeline: Keeping your program, and your life, sane Aaron Weaver Protiviti Matt Tesauro Pearson

2. Henry Ford: The sponsor of the development of the assembly line

3. Assembly Lines

4. The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations

5. #1 - Workflow Look at your purpose and those processes which aid it

6. #2 - Improve Feedback Open yourself to upstream and downstream information

7. #3 - Continual Experimentation & Learning Create a culture of innovation and experimentation

8. AppSec Pipelines

9. Spending time optimizing anything other than the critical resource is an illusion.

10. For AppSec the critical resource is the people.

11.

12. Our Pipeline

13. Pipeline - Intake ▪ “First Impression” ▪Major categories of Intake - Existing App - New App - Previously tested App - App to re-test findings ▪Key Concepts - Ask for data about Apps only once - Have data reviewed when an App returns - Adapt data collected based on broad categories of Apps

14. Pipeline - Test ▪Inbound request triage ▪Ala Carte App Sec - Dynamic Testing - Static Testing - Re-Testing mitigated findings - Mix and match based on risk ▪Key Concepts - Activities can be run in parallel - Automation on setup, configuration, data export - People focus on customization rather than

15. Pipeline - Deliver ▪Source of truth for all AppSec Activities ▪ThreadFix is used to - Dedup / Consolidate findings - Normalize scanner data - Generate Metrics - Push issues to bug trackers ▪Report and metrics automation - REST + tfclient ▪Source of many touch points with external teams

16.

17.

18. Application Security Tools Orchestration Automate Security Tooling

19. Integrating into the DevOps Pipeline DevOps Pipeline AppSec Pipeline

20. Dev & AppSec Tool Integration OWASP ZAP Proxy BuildManageCode Store RAPTOR Deploy OWASP ZAP Proxy *Not a comprehensive list. The OWASP DevOps AppSec Pipeline will have a complete listing.

21. Bag of Holding aka BoH github.com/PearsonEducation/bag-of-holding

22. Minimal Viable Product

23. What does BoH do? ▪Manages our Application Security Program ▪Application Repository ▪Engagement Tracking ▪Report Repository ▪Comments on any application, engagement or activity ▪Data Classification and PII data ▪Time taken on secure software activities ▪Historical knowledge of past assessments ▪Credential repository ▪Environment details

24. Application Repository

25. Application Security Profile

26. Scheduling of Secure Software Activities

27. AppSec ChatOps aka Will

28. Your command line where you have your conversations.

29. AppSec Help

30. AppSec Advice

31. Threadfix Integration And more: Create an Application Get Summary Metrics for AppSec Program

32. BOH/Threadfix/Static Integration Setup recurring static analysis in about 1 minute!

33. https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

34. Thanks! Aaron Weaver @weavera aaron.weaver@owasp.org aaron.weaver2@gmail.com /in/aweaver Matt Tesauro @matt_tesauro matt.tesauro@owasp.org mtesauro@gmail.com /in/matttesauro github.com/mtesauro