DevSecOps: The Evolution of DevOps
Have you ever asked yourself the following questions:
What does DevSecOps means?
How is this different from DevOps?
What can we learn from the DevOps movement?
If so, please join us to listen and interact with James Betteley who will share his experience of shaping DevOps and what he foresees will happen with DevSecOps.
A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes. Developers today face a massive onslaught of new and old attack vectors in both the code they write and the open source they use.
Information Security departments often view containers as challenging to manage (code moves too fast for risk analysis, thousands of containers with limited visibility or control). Government organizations such as NIST have come out with guidelines for Application Container Security, while serverless technologies such as Azure Container Instances or AWS Fargate create additional challenges regarding how security risks are managed.
In this presentation we will look at these challenges and demonstrate how security controls can be continuously embedded into the application lifecycle.
The standard approach to setting up a bastion server (or jump box) has enough weaknesses already. Managing secure access to your VPC’s for hundreds of users and hundreds of servers increases these exponentially.
I found the available solutions lacking.
Here I briefly cover the issues and present a working production solution immutably deploying ssh bastion access as a stateless service on AWS, managed entirely with Terraform – no build chain, no registries, no secrets management and instantaneous access.
The result is a bastion server that isn’t there, until the moment a user calls for it and then it can be their special snowflake, just for them, briefly, until it’s gone.
Threat Modelling can be a laborious and time-consuming exercise, which is not a happy marriage with CI and DevOps methodologies. In this talk, I shall outline my Rapid Threat Model Prototyping paradigm, which I have successfully been using both at Visa and Photobox. My method enables automation and inclusion into fast-moving development cycles and is well-suited for today’s IT environments.
Aubrey Stearn: How To Save A Burning Programme
Kaveh Goudarzi and Michael Man: Implementing SAST IRL
Chris Rutter: Micro Threat Modelling For Agile Delivery Works
Stuart Gunter: Real World Security
Alexandre Fiori: Vulnerability Management At Scale At Facebook
Hot Topic 1: Multiple releases a day, what security testing should be considered and adopted?