DevOps & Security
Wednesday, November 17, 2021
To truly scale application security testing, developers need to maintain their role in the security process beyond SCA and SAST, continuing the automation you are already achieving and rely less on manual testing.
Traditional DAST scanners are a blocker to this automation. They are hard to use, impossible to integrate, not developer friendly and produce too many false positives. This results in crippling human bottlenecks that stifle CI/CD, whether it's the need for security to constantly tweak scanners or the drain of manually validating vulnerabilities.
Either way, technical and security debt is compounded, resulting in insecure product hitting production. Change is needed, and fast.
In this session with you will discover:
1. Key features that your dev-first DAST needs to enable developers to take ownership of security
2. How you can detect, prioritise and remediate security issues early, automated in the pipeline
3. Insights into reducing the noise of false alerts to remove your manual bottlenecks to shift left
4. Steps you can take to achieve security testing automation as part of your CI/CD, to test your applications and APIs.
Eighteen years into my career, I decided to pivot and move from infrastructure-related work to the world of application security. If there’s one thing I’ve learned in the three years of working in application security is that it’s a funny business. Our entire business model is based on pointing out the mistakes of other programmers. In this talk, I want to shoot myself in the foot and share some concepts that could help eliminate a lot of those mistakes, and reduce my job to snuffing out the more interesting mistakes.
In order to avoid being front page news for having fallen victim to a big cyberattack companies must learn to incorporate security processes directly into their development process, cue DevSecOps. Despite the growing prominence of DevSecOps, the disparity among security and engineering teams, along with a traditionally “reactive” approach to security often stifles critical DevSecOps practices. In this talk, Chief Product Officer at Cobalt, Eric Brinkman, will show the importance of adding security practices into DevOps lifecycles, and how proactive security measures like pentesting can be integrated into developers’ workflows. Additionally, Eric will give real examples of how security and engineering teams can work hand-in-hand to test faster, remediate risks smarter, and ultimately make security stronger.
This talk is unique because 99% of developer productivity tools and hacks are about coding faster, better, smarter. And yet the vast majority of our time is spent doing all of this other stuff. After I started focusing on optimizing the 10 hours I spend every day on non-coding tasks, I found I my productivity went up and my frustration at annoying stuff went way down.
I cover how to save time by reducing cognitive load and by cutting menial, non-coding tasks that we have to perform 10-50 times every day.
-Bug or hotfix comes through and you want to start working on it right away so you create a branch and start fixing. What you don’t do is create a Jira ticket but then later your boss/PM/CSM yells at your due to lack of visibility. I share how I automated ticket creation in Slack by correlating Github to Jira.
-You have 20 minutes until your next meeting and you open a pull request and start a review. But you get pulled away half way through and when you come back the next day you forgot everything and have to start over. Huge waste of time. I share an ML job I wrote that tells me how long the review will take so I can pick PRs that fit the amount of time I have.
-You build. You ship it. You own it. Great. But after I merge my code I never know where it actually is. Did the CI job fail? Is it release under feature flag? Did it just go GA to everyone? I share a bot I wrote that personally tells me where my code is in the pipeline after it leaves my hands so I can actually take full ownership without spending tons of time figuring out what code is in what release.
Explore the relationship between customer satisfaction and handling app hangs, errors and crashes.
In this session, we'll explain how Backtrace’s next generation crash reporting can ensure top-app rankings through advanced monitoring and how to integrate Backtrace in your existing Android and iOS apps.
- How to manage app errors, hangs and crashes - and why
- Understand the unique challenges for mobile app monitoring and reporting
- Learn how Backtrace simplifies mobile crash management
There are many ways to tell when your application breaks. But figuring out what caused it to break is slow and tedious as engineers hunt through logs and dashboards, piecing together the details of what happened.
Fortunately, unsupervised machine learning can speed-up the process. It works by automatically finding the log events and metrics that describe the root cause, and it uses GPT-3 to provide a plain language summary of the problem.
The business demanded rapid innovation. Software development and IT figured out how to provide it. But now we have a whole host of new problems. In the resulting world of cloud-native apps, microservices, and API-driven applications, what we came to rely on for keeping it all running and secure is no longer enough.
In this new fog, we are basically “flying blind”. Modern applications are extremely hard to secure and protect as they are complex and continuously changing. Our visibility of what we have, how it is behaving, and how it is being used (and abused) has diminished tremendously. So how do we begin to see through the fog once again?
In this session you’ll learn:
Why are we flying blind
4 key areas to focus on to stop flying blind
A way to get started quickly (for free!)
For more information on Traceable AI, visit us at: www.traceable.ai
Introducing Continuous Design/Continuous Integration Agile processes have become mature contributors to the evolution of developer operations for the build to deploy stage, but what about design? After all, creating the user interface typically takes up to 60% of the total development time, easily representing the most attractive opportunity since Agile itself to redefine how apps are built. Not only is it an enormous expense, but mistakes between designers & developers can impact an app well after launch. Since design is now largely digitized it seems like a no-brainer to build automated conversion tools that integrate designer/developer workflow into what we could call “Continuous Design/Continuous Integration”. So where are they? In this talk, Parabeac CEO Ivan Huerta describes the reasons why it is much harder than you might expect, and what CD/CI would need to look like to be truly functional. Ivan outlines the major challenges that have kept CD/CI from coming to fruition and the new pathways within which CD/CI tools could now be on the near horizon. He predicts how the CD/CI market may present itself over time, and what the substantial and surprising long-term impact might be. Agile gave adaptive energy to the build and deploy stages of app development. CD/CI simply extends that backward to include the design stage as well. But when CD/CI platforms become an integral part of automating developer workflows, the reduction in development costs may only be a small part of the story compared to CD/CI’s impact on the transformation of traditional developer roles. Ivan closes his talk with a discussion of the potential implications of that transformation. A more detailed outline of the talk is available on request.
Looking into the trade-offs a lot of teams make to move into containers and Kubernetes and how they should plan to address those that keep them from the velocity they are seeking... and make sure they do so securely.
Thursday, November 18, 2021
Security is becoming a more prevalent issue every day, especially for young companies and developers looking to manage and update their applications.Ultimately, almost every application uses a database. However, traditional SQL systems are dated and lack out-of-the-box solutions for building clear audit trails, validating record integrity, and analyzing historical versions of the data.This talk will overview Blockpoint's Immutable, SQL compliant database management system, MDB, and how using an immutable database can benefit your data-driven applications.
Nobody complains that the database is too fast. But when things slow down they do complain. The two most popular ways of speeding up queries in a relational database are indexes and histograms, This talks covers when to use one over the other, how to properly construct an index, where histograms fail, and much more.