Sort by:  

Authors: Krishna Rajeesh Nallur Valiyaveettil, Brendan Kelly

tldr - powered by Generative AI

The presentation discusses the risks and challenges in the software supply chain and how to combat them through a DevSecOps pipeline that includes continuous integration, continuous deployment, and continuous compliance.
  • The software supply chain is vulnerable to risks such as compromised source code management tools, build container platforms, and package reports like container registries.
  • The DevSecOps pipeline aims to shift security left by finding security problems as soon as possible before they reach production environments.
  • The pipeline is defined as code and supports multiple development languages, consistent testing approaches, and shared pipeline templates.
  • The pipeline includes continuous compliance based on gold to ensure continuous security and compliance with regulations.
  • The pipeline also addresses auditing challenges through automated evidence gathering and a dashboard for viewing vulnerabilities.
  • The pipeline aims to detect new vulnerabilities and zero-day bugs as soon as possible.
Authors: Ken Toler

tldr - powered by Generative AI

The presentation discusses the importance of threat modeling and testing in web3 organizations and the need for understanding code in web3.
  • Threat modeling is important in web3 organizations and should be done iteratively starting with a contract or cloud infrastructure
  • Writing tests is crucial in web3 organizations
  • Learning to code is important for effective communication with developers in web3 organizations
Authors: Chen Gour-Arie

"and this mess is so big and so deep and so tall - we can not pick it up, there is no way at all" – Dr. SeussThe evolution of application security coincides, for the most part, with the innovations in the realm of applications themselves. When characterizing each of these chapters, we see that while the techniques and tools of application security may have changed, the challenge has remained the same – AppSec is always playing catch-up. Is there anything we can do as AppSec professionals to change this vicious cycle? In order to better secure our future, we must first look at the past.This presentation will define, for the first time, the four major transformation periods of application security:1. Primordial Terminal Applications2. Thick Application Clients3. The Web Application Era4. Mobile, SPA & Cloud Native Applications.We will review the mistakes we have made as AppSec practitioners and the impact we’ve had on each transformation stage. But most of all, we will ask the critical question– why do we have more problems today in AppSec yet so many more security solutions and innovations? The answer lies in the fact that although we’ve tried, AppSec still evolves at a slower pace than engineers in application development.We will always need application security– just as a door needs a lock and a yard needs a fence. It’s the classic game of offense and defense: innovation will spur incredible progress in application development, which in turn will surface new vulnerabilities, attack vectors and challenges. As AppSec professionals, now is the moment to tie the game and stop playing catch-up.So although demoralized, we are not defeated!The final part of my presentation will discuss the ways in which AppSec can become as agile as development and transform!But in order to pave the road for this future, we must learn important lessons from our past. Welcome to AppSec story time!
Authors: Joshua Bregler, Corbin Moyer

Make no mistake, secure development relies on automation. In a DevSecOps culture, having scalable, reliable tools and processes are the only way to make DevSecOps a reality. Creativity and technical chops are lauded for their ability to bring magic from the machines. However, is anyone in charge of making sure that your organization is automating the right things? How much attention is being paid towards supporting that automation across an Enterprise? The security is baked in, right? It may just be possible to focus so heavily on automation and tools that disparate teams lose sight of the bigger picture.This talk discusses the pitfall that many organizations trip into all too readily. By focusing forcefully or narrowly on automation, an organization can find itself creating technical debt, waste, and classically unsupportable support systems. We utilize two real-world case studies to clearly demonstrate classic automation problems and propose functional solutions. Audiences will come away with data-driven DevSecOps security management techniques as well as how to recognize and accept the trade-offs in a secure DevSecOps culture. This includes how to avoid creating new, unintended, invisible stove-pipe problems, drawing from our 25+ years of experience in the military and commercial spaces. Finally, we explore methods to find these opportunities, track meaningful metrics, and recognize when you’ve fallen over the edge.
Authors: Chris Koehnecke

tldr - powered by Generative AI

The presentation discusses the OWASP DevSecOps Maturity Model and how to practically apply security controls using open source tools for each requirement.
  • The OWASP DevSecOps Maturity Model provides a framework for companies to apply security in a cloud-native and fast-paced engineering world.
  • Whatever isn't automated is much more difficult to practically apply to systems.
  • Open source security tools have evolved and provide good coverage for many of the layers of the DSOMM model.
  • The presentation walks through the different security requirements in the DSOMM framework and does live code demos for each.
  • Prioritization of security issues can be done per each pull request.
  • The speaker shares their experience with implementing security processes in a startup environment.
  • Developers owning security is seen as the future of the security industry.
Authors: Paul McCarty

tldr - powered by Generative AI

The DevSecOps Playbook is a flexible guide for implementing cybersecurity practices in any organization, regardless of size or expertise.
  • The DevSecOps Playbook is a guide for implementing cybersecurity practices in any organization
  • It is flexible and can be adapted to any size or type of organization
  • The Playbook is broken down into domains of ownership, with prioritization and difficulty levels for each task
  • The Playbook includes an addendum for compliance
  • The Playbook is a work in progress, with ongoing collaboration and updates
Authors: Chip Zoller, Brandt Keller

Getting an environment approved for production can be a painful process, case in point government and Department of Defense (DoD) which require the strictest of controls be met, however this is true for other highly-regulated industries. Engineering and security teams must validate that the security controls are satisfied while continuing to audit, except these are often siloed teams. Reviewing these standards is still an archaic and painful process of managing a spreadsheet or checking text boxes. In this talk, we will share how the Department of Defense is solving this by ensuring compliance through policy in order to capitalize on the promise of DevSecOps. Using Big Bang, a tool for providing secure-by-default environments with pre-integrated tools, and Iron Bank, a DoD repository of signed and hardened application images, along with Kyverno, a Kubernetes-native policy engine, teams are able to get compliant faster and reach mission-ready status sooner.
Authors: Jesse Sanford, Jason Hall

Secure software supply chain practices have begun to permeate all aspects of software development. But what about the orchestration of our infrastructure? With the proliferation of infrastructure as code, many of the same threats posed to software supply chains are also threats to our IaC ecosystems. IaC provides clear advantages to platform teams, bringing uniformity and productivity to developers, but with the great power bestowed to it, it also presents a juicy target for supply chain attacks, often while no one is looking. It's only a matter of time before our Site Reliability Engineers will need to defend against the same attack vectors as their Software Engineer counterparts. How can DevSecOps practitioners learn from the patterns and practices being developed by projects like SLSA? Can IaC pipelines build on tooling like Sigstore and in-toto? This talk covers the application of software supply chain security principles to modern IaC pipelines. Jesse and Jason discuss design changes to the Crossplane package management system and it’s forthcoming integration with Sigstore, enabling IaC provenance and attestations. Finally, a demo showcasing the equivalent of “admission control” for IaC will provide inspiration for further work on Secure IaC Supply Chains.
Authors: Dov Hershkovitch

DevSecOps extends the DevOps ecosystem with the security aspect. Sensitive information is everywhere, be it passwords, secret tokens or exchanged IDs in order to gain access to tools and platforms. The problem has been addressed by many secret management solutions and frameworks, yet creating another problem: Which to choose from, and how to integrate best into your DevOps processes? Engineers started to workaround the security protocols, and often sensitive information is stored in insecure ways. A plaintext token can lead to security leaks and business incidents in a worst case scenario. JSON Web Token (JWT) aims to build the integration bridge as an open standard for security claims exchange. Join this session to learn how in GitLab we leverage JWT tokens to access different secret management solutions, including major cloud providers. Hear best practices on the challenges to retrieve sensitive data and how to enhance the DevSecOps security processes in your organization.
Authors: Ayse Kaya

tldr - powered by Generative AI

The talk discusses the evolution of vulnerabilities in popular public container images and the challenges faced by developers and DevSecOps teams in handling them. The speaker shares insights from a report on publicly available containers on Docker Hub and highlights the need for practical steps to prevent the dev process from grinding to a halt.
  • Container scanning and security is becoming more widely adopted, but the long-term security posture of containers is not well-understood.
  • New vulnerabilities arise constantly, and many vulnerabilities fall into a catchall bucket of 'won't fix'.
  • The attack surface of popular public container images like Python and NodeJS has changed over the past year, and different vulnerability scanners show different results.
  • Developers and DevSecOps teams face challenges in ensuring containerized applications are free from vulnerabilities due to the complexity of containers and manual processes.
  • Practical steps can be taken to stay on top of vulnerabilities and prevent the dev process from grinding to a halt.