GDG Cloud Southlake #34: Neatsun Ziv: Automating Appsec

•

0 likes•68 views

The lecture titled "Automating AppSec" delves into the critical challenges associated with manual application security (AppSec) processes and outlines strategic approaches for incorporating automation to enhance efficiency, accuracy, and scalability. The lecture is structured to highlight the inherent difficulties in traditional AppSec practices, emphasizing the labor-intensive triage of issues, the complexity of identifying responsible owners for security flaws, and the challenges of implementing security checks within CI/CD pipelines. Furthermore, it provides actionable insights on automating these processes to not only mitigate these pains but also to enable a more proactive and scalable security posture within development cycles. The Pains of Manual AppSec: This section will explore the time-consuming and error-prone nature of manually triaging security issues, including the difficulty of prioritizing vulnerabilities based on their actual risk to the organization. It will also discuss the challenges in determining ownership for remediation tasks, a process often complicated by cross-functional teams and microservices architectures. Additionally, the inefficiencies of manual checks within CI/CD gates will be examined, highlighting how they can delay deployments and introduce security risks. Automating CI/CD Gates: Here, the focus shifts to the automation of security within the CI/CD pipelines. The lecture will cover methods to seamlessly integrate security tools that automatically scan for vulnerabilities as part of the build process, thereby ensuring that security is a core component of the development lifecycle. Strategies for configuring automated gates that can block or flag builds based on the severity of detected issues will be discussed, ensuring that only secure code progresses through the pipeline. Triaging Issues with Automation: This segment addresses how automation can be leveraged to intelligently triage and prioritize security issues. It will cover technologies and methodologies for automatically assessing the context and potential impact of vulnerabilities, facilitating quicker and more accurate decision-making. The use of automated alerting and reporting mechanisms to ensure the right stakeholders are informed in a timely manner will also be discussed. Identifying Ownership Automatically: Automating the process of identifying who owns the responsibility for fixing specific security issues is critical for efficient remediation. This part of the lecture will explore tools and practices for mapping vulnerabilities to code owners, leveraging version control and project management tools. Three Tips to Scale the Shift Left Program: Finally, the lecture will offer three practical tips for organizations looking to scale their Shift Left security programs. These will include recommendations on fostering a security culture within development teams, employing DevSecOps principles to integrate security throughout the development

GDG Cloud Southlake #34: Neatsun Ziv: Automating Appsec

More from James Anderson

GraphQL Insights Deck ( Sabre_GDG - Sept 2023).pdf

James Anderson

GraphQL - Industry insights on the rise of the supergraph Exploring what we’ve learned from hundreds of organizations transforming their business and customer experiences with GraphQL & the supergraph. In his talk and Q&A session, Dan Boerner will share insights and best practices from his experience working with hundreds of companies working to unblock their teams and backlogs with the supergraph—a new layer of the stack. He’ll share real-world examples to explore why GraphQL and its architectural advantages must be coupled with leadership, vision, team empowerment, and mindset shifts to truly transform the way enterprises build, deliver and organize themselves to create digital products. As Apollo’s Graph Champion, Dan leads Apollo’s community of 800+ GraphQL leaders from 350 companies. Before joining Apollo, Dan led Expedia Group’s effort to radically accelerate the delivery of improved customer experiences with a company-wide supergraph. Dan is passionate about helping graph champions harness the transformative power of the supergraph to improve product development and digital customer experiences. At Apollo, he leads a community of hundreds of GraphQL champions working to drive transformation within their organizations. He joined Apollo after a long tenure at Expedia Group where he led the effort to create a company-wide supergraph transforming product development and delivery, and enabling the organization to roll out their new trips platform in 1 year instead of 3. https://youtu.be/0Vucl1qVecM

GDG Cloud Southlake #25: Jacek Ostrowski & David Browne: Sabre's Journey to ...

James Anderson

GDG Cloud Southlake #25: Ostrowski/Browne: Sabre's Journey to the Cloud Brief overview of Sabre's journey from private datacenters, through multi-cloud to mono-cloud and beyond. Review of the drivers, expectations, and results with plenty of time for Q&A. Jacek Ostrowski Sabre Sr Director Platform Engineering In 1998 Jacek received MS in Computer Science from Jagiellonian University, Poland and started a developer career. From 2001 to 2007 he honed his java and architecture skills while building systems supporting data warehouses with Asseco Poland. In 2007 joined Sabre as a senior java engineer, and a few years later moved to enterprise architecture. After a few years as an EA, he started championing platform product management and took the platform product manager position. In 2018 took a leadership position over a team of platform product managers. From 2020 Jacek leads Platform Engineering and uses his developer experience and product mindset to make Sabre's developers happier and more productive. David Browne Sabre Senior Principal SRE Architecture Graduated from the University of Waterloo with Joint degrees in Computer Science and Actuarial Science. Has spent 20 years doing software development and Enterprise Architecture work with IBM, Travelocity, and Sabre. Experienced in implementing enterprise DevOps solutions to deploy software into on-prem and cloud-based environments such as AWS, Azure and GCP. Currently working as an SRE architect with Sabre where he is an advocate for designing and implementing enterprise DevOps solutions that can run at scale. Enabling hundreds of teams to get their software products to market faster and more efficiently while meeting today’s current reliability regulatory and security requirements. https://gdg.community.dev/events/details/google-gdg-cloud-southlake-presents-gdg-cloud-southlake-25-ostrowskibrowne-sabres-journey-to-the-cloud/cohost-gdg-cloud-southlake

A3 - AR Code Planetarium CST.pdf

James Anderson

This is the white paper behind the GDG Cloud Southlake #24 presentation by Arty Starr: Enabling Powerful Software Insights by Visualizing Friction and Flow In an Agile software development process, a software team will typically meet on a regular basis in a “retrospective meeting” to reflect on the challenges faced by the team and opportunities for improvement. On the surface, this challenge might seem straight-forward, but modern software projects are complex endeavors, and developers are human – identifying what’s most important in a complex sociotechnical system is a task humans struggle to do well. What if developers had tools that recorded and helped them explore their historical experiences with the code, and they could identify hotspots of team friction, worthy of discussion, based on empirical data? This talk will explore the possibility and impact of such tools through a design fiction and working prototype of an Augmented Reality (AR) Code Planetarium powered by FlowInsight developer tools. Arty Starr, PhD student, University of Victoria & Founder, FlowInsight Arty is a recognized Flow Experience expert, researcher, speaker and thought leader, and the author of Idea Flow. This expertise, along with her experience as a former CTO and software engineer inspired Arty’s mission to improve the efficiency and morale of engineering teams, culminating in her founding FlowInsight. Arty teaches system models for better understanding the Flow Experience of software development, and the practice of using Flow Metrics to systematically optimize programming flow. “Flow as a practice” is the art of getting in and staying in flow state to optimize productivity. The company she founded, FlowInsight, is on a mission to bring back joy to our everyday work.

GDG Cloud Southlake #24: Arty Starr: Enabling Powerful Software Insights by V...

James Anderson

Enabling Powerful Software Insights by Visualizing Friction and Flow In an Agile software development process, a software team will typically meet on a regular basis in a “retrospective meeting” to reflect on the challenges faced by the team and opportunities for improvement. On the surface, this challenge might seem straight-forward, but modern software projects are complex endeavors, and developers are human – identifying what’s most important in a complex sociotechnical system is a task humans struggle to do well. What if developers had tools that recorded and helped them explore their historical experiences with the code, and they could identify hotspots of team friction, worthy of discussion, based on empirical data? This talk will explore the possibility and impact of such tools through a design fiction and working prototype of an Augmented Reality (AR) Code Planetarium powered by FlowInsight developer tools. Arty Starr, PhD student, University of Victoria & Founder, FlowInsight Arty is a recognized Flow Experience expert, researcher, speaker and thought leader, and the author of Idea Flow. This expertise, along with her experience as a former CTO and software engineer inspired Arty’s mission to improve the efficiency and morale of engineering teams, culminating in her founding FlowInsight. Arty teaches system models for better understanding the Flow Experience of software development, and the practice of using Flow Metrics to systematically optimize programming flow. “Flow as a practice” is the art of getting in and staying in flow state to optimize productivity. The company she founded, FlowInsight, is on a mission to bring back joy to our everyday work.

GDG Cloud Southlake #23:Ralph Lloren: Social Engineering Large Language Models

James Anderson

Ralph Lloren discusses social engineering and AI chatbots. He defines social engineering as gathering data about a system or framework to find vulnerabilities and then exploiting or healing gaps. He explains how biases, emotions, and behaviors can be manipulated in social engineering. Ralph also discusses how communication with chatbots, like ChatGPT, requires understanding human patterns of intellect, emotions, and behaviors to have effective conversations.

GDG Cloud Southlake no. 22 Gutta and Nayer GCP Terraform Modules Scaling Your...

James Anderson

GCP Terraform Modules: Scaling Your Infrastructure the easy way With GCP Terraform Modules, you can take advantage of pre-built modules that simplify the process of creating and managing GCP resources, such as virtual machines, load balancers, databases, and more. These modules are designed to be reusable, scalable, and customizable, allowing you to quickly and easily deploy complex infrastructure configurations with just a few lines of code. Whether you're just getting started with GCP or you're looking for a more efficient way to manage your infrastructure, GCP Terraform Modules are a great way to streamline your operations and scale your infrastructure with ease. Join us as we cover details on why to use modules, how to use and where to find more helpful resources. Anita Gutta is Cloud Infrastructure Engineer in Google Cloud Professional Services Organization (PSO). She provides technical guidance to customers adopting Google Cloud Platform services. She works closely with clients to understand their business needs and recommends the best cloud solutions to meet those needs. She has hands-on terraform experience and leads the SME TF Community in Google Cloud. Prior to Google Anita worked in the IT industry for 25 years, the majority focused in the finance sector. Imran Nayer is a Senior Technical Solutions Consultant at Google Cloud Professional Services. He has been working on Google Cloud since 2019. Helped companies in the healthcare, financial, and retail sectors with projects including cloud foundation, migration, and automation. He is a regular contributor to the official GCP Terraform module, aka the Cloud Foundation Toolkit. He developed the Cloud Armor Security Module and several other CFT submodules.

GDG Cloud Southlake #21:Alexander Snegovoy: Master Continuous Resiliency in C...

James Anderson

Mastering Continuous Resiliency in Cloud: Chaos Engineering No one likes downtime. It can be detrimental in today’s competitive environment. It isn’t cheap either. Many companies have been using traditional DR strategies. However, their testing is costly, limited, and complex. In the modern agile environment, the latest DR exercise becomes invalid not long after it is done and there’s a greater variety of disruptions that can occur. In this demo, we’ll explore how to use chaos engineering techniques to: quantify reliability and resiliency, gain valuable insights, and build systems that can withstand the unexpected. By applying these practices, you can gain confidence, prove resiliency, and be sure you are ready to face the unexpected. Our speaker is Alexander Snegovoy, Lead of DevOps & Cloud Center of Competence at DataArt. Alex spearheads DataArt’s drive toward innovation, with more than 10 years of professional experience across the financial services, healthcare, travel, and IoT industries. After joining DataArt as a software engineer in 2016, he became a leading member of the DevOps & Cloud Center of Competence. His role also includes identifying and communicating technology trends, cementing alliances and strategic partnerships with other companies, and coaching and mentoring new talent.

GDG Cloud Southlake #20:Stefano Doni: Kubernetes performance tuning dilemma: ...

James Anderson

GDG Cloud Southlake #19: Sullivan and Schuh: Design Thinking Primer: How to B...

James Anderson

GDG Cloud Southlake #18 Yujun Liang Crawl, Walk, Run My Journey into Google C...

James Anderson

Crawl, Walk, Run. An exciting journey from 0 to fully certified on Google Cloud. A story of inspiration, entertainment, and struggle. You don't want to miss it. @YujunLiang is an Associate Director at Accenture. He started his Google Cloud journey in 2017 and had been on many challenging projects including leading roles on some of them. His expertise spans Cloud Infrastructure and Data analytics. Currently, Yujun works as the cloud architect on a Data Analytics Platform and helps the team remove roadblocks in networking and security. He is also known as the certification king on LinkedIn. He holds all 11 Google Cloud certifications and all 14 AWS certifications. His dedication to learning has created a sensation. Yujun is a Google Cloud Champion Innovator with a specialization in Data Analytics, Databases, Security, and Networking. Video on YouTube: https://youtu.be/RkMCn6ukfZg Check out past and future GDG Cloud Southlake events: https://gdg.community.dev/gdg-cloud-s... #cloud #gdg #gdgcloudsouthlake #sabre #google #careerjourney

GDG Cloud Southlake #17: Meg Dickey-Kurdziolek: Explainable AI is for Everyone

James Anderson

If Artificial Intelligence (AI) is a black-box, how can a human comprehend and trust the results of Machine Learning (ML) alogrithms? Explainable AI (XAI) tries to shed light into that AI black-box so humans can trust what is going on. Our speaker Meg Dickey-Kurdziolek is currently a UX Researcher for Google Cloud AI and Industry Solutions, where she focuses her research on Explainable AI and Model Understanding. Recording of the presentation: https://youtu.be/6N2DNN_HDWU

GDG Cloud Southlake #16: Priyanka Vergadia: Scalable Data Analytics in Google...

James Anderson

Do you know The Cloud Girl? She makes the cloud come alive with pictures and storytelling. The Cloud Girl, Priyanka Vergadia, Chief Content Officer @Google, joins us to tell us about Scaleable Data Analytics in Google Cloud. Maybe, with her explanation, we'll finally understand it! Priyanka is a technical storyteller and content creator who has created over 300 videos, articles, podcasts, courses and tutorials which help developers learn Google Cloud fundamentals, solve their business challenges and pass certifications! Checkout her content on Google Cloud Tech Youtube channel. Priyanka enjoys drawing and painting which she tries to bring to her advocacy. Check out her website The Cloud Girl: https://thecloudgirl.dev/ and her new book: https://www.amazon.com/Visualizing-Google-Cloud-Illustrated-References/dp/1119816327

GDG Cloud Southlake #15: Mihir Mistry: Cybersecurity and Data Privacy in an A...

James Anderson

Addressing Cybersecurity and Data Privacy concerns in the evolving world of AR, VR and Metaverse. Mihir Mistry is a leader in Strategy, Governance, Risk and Compliance. Leads the delivery service lines for Controls & Compliance, Risk & Advisory, Cloud and Architecture. Takes a very programmatic approach to solving and delivering security based projects. Proven business and entrepreneurial skills to deliver custom, highly visible projects in front of the C-suite and Board of Directors. Diverse knowledge base and framework expertise that includes NIST, HIPAA, HITRUST, CIS, GLBA, ISO, GDPR, CLOUD, PCI and others. Global experience across North America, Europe, Asia and Australia. https://gdg.community.dev/events/details/google-gdg-cloud-southlake-presents-gdg-cloud-southlake-15-mihir-mistry-cybersecurity-and-data-privacy-in-an-arvr-metaverse-world/

GDG Cloud Southlake #14: Jonathan Schneider: OpenRewrite: Making your source ...

James Anderson

GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries

James Anderson

Secure Cloud Networking – Beyond Cloud Boundaries. When you are learning cloud, networking examples are just complicated enough to get you exposed to the networking fundamentals of that cloud. Real-life is quite a bit different. Matt Kazmar, Rod Stuhlmuller, Corbin Louks and Mark Cunningham from Aviatrix walks us through the complications of cloud networking, especially those encountered beyond one cloud.

GDG Cloud Southlake #8 Steve Cravens: Infrastructure as-Code (IaC) in 2022: ...

James Anderson

Infrastructure as Code (IaC) is a concept that has been around for a while now and much research has been done to not only prove out the value but also how to enhance IaC implementations. We have a full guest list including Steve Cravens, who can speak to the school of hard knocks of why IaC is important. Stenio Ferreira, who prior to Google worked at Hashicorp and has vast experience on how to successfully implement IaC with Terraform. Lastly, Josh Addington, who is an Sr. Solutions Engineer at Hashicorp and will be speaking to the Day 2 operations as well as other offerings that can enhance IaC implementations. Here is the high level overview: • IaC overview • Terraform Tactical • IaC day 2 and Governance

GDG Cloud Southlake #6 Tammy Bryant Butow: Chaos Engineering The Road To Res...

James Anderson

Our Speaker: Tammy Bryant Butow, a Principal Site Reliability Engineer @ Gremlin will talk to us about The Road To Resilience: Chaos Engineering, Disaster Recovery & GameDays. Abstract: Over the years much research has been conducted and books have been written on how to improve the resilience of our software. This tech talk will dive deep into three key practices that improve the key measures of tempo and stability (outlined in Accelerate). These 3 practices are Chaos Engineering, Disaster Recovery and GameDays. You'll learn practical tips that you can put into action focused on resource consumption, capacity planning, region failover, decoupling services and deployment pain. You'll also hear how you can get certified in Chaos Engineering - whether you are a beginner or have many years of experience. Talks about #sre, #tech, #chaosengineering, #performanceengineering, and #sitereliabilityengineering

GDG Cloud Southlake #5 Eric Harvieux: Site Reliability Engineering (SRE) in P...

James Anderson

GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...

James Anderson

Are Cybersecurity threats increasing? Learn about protecting your business with a security program and understanding ransomware threats. Join us as Google's Biodun Awojobi and Wade Walters join us to discuss "Security Programs and Ransomware in the Cloud." We expect to have additional Cybersecurity events in future to cover security posture, Zero Trust, Google's Cybersecurity products & more! #cybersecurity #ransomware #google #gdg #gdgcloudsouthlake

GDG Cloud Southlake #3 Charles Adetiloye: Enterprise MLOps in Practice

James Anderson

More from James Anderson (20)