SlideShare uma empresa Scribd logo

Trusting Your Ingredients - What Building Software And Cheesecake Have In Common

L
Leon Stigter

The document discusses the similarities between making cheesecake and building software applications. It notes that both processes require trusting where ingredients/libraries come from and having transparency in the overall process. This includes knowing the ingredients/libraries, who uses them, and where they are stored. The document advocates integrating security practices like DevSecOps earlier in the development lifecycle to help build more secure applications faster.

Software
1 de 47
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Trusting Your Ingredients What Building Software And Cheesecake Have In Common
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter A big thanks to our hosts of today
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter https://jfrog.com/shownotes shownotes Slides Links Comments & Ratings Raffle
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Who am I? • Developer Advocate • Passionate about Serverless, Containers, and all things Cloud • I love dadjokes, cheesecake and Go @LeonStigter Leon Stigter, Developer Advocate
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • A giant cybersecurity breach compromised the personal information of as many as 143 million Americans • An attacker could exploit “this” by using a malicious tar binary to write files to any path on the target machine whenever Let’s play a game! Which project is this…
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors. - Leon Bambrick
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter What is devops?
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter What is devsecops?
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter What is devsecops SECURITY The philosophy of integrating security practices within the DevOps process. #SecurityFirst culture! How? Introducing security earlier in the life cycle of application development
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter P Protocols, like zero-trust, to implement in your pipelines The three P’s of devsecops
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter P Protocols, like zero-trust, to implement in your pipelines (what) Processes, dictating how to add security to DevOps The three P’s of devsecops
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter P Protocols, like zero-trust, to implement in your pipelines (what) Processes, dictating how to add security to DevOps Philosophy, of shared ownership and cooperation between the teams (why) The three P’s of devsecops Source: https://www.infoq.com/articles/evolve-devops-devsecops/
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Who cares about security anyway? ¯_(ツ)_/¯
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Q1 2019 • More than 1900 incidents (up by 56.4%) • Close to 2B records exposed (up by 28.9%) Well, lets talk about numbers
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Q1 2019 • 3 breaches with 100M+ records • Business sector is targeted in 85.6% • Hacks are 84.8% of breaches Let’s make it slightly worse
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter My personal favorite “14.7% of breached organizations were unwilling or unable to disclose the number of records exposed.”
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Let’s welcome on stage our main characters Making a cheesecake Building an app Ingredients Libraries (Jars, Modules, Gems…) Recipe Source code Kitchen stuff (whisk, bowl, spatula) Dev tools (editor, cli tools, vcs) Appliances (oven, fridge) Build tools (CI/CD server) Fork Runtime
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Will subpar ingredients get me the best cheesecake? Let’s imagine you’re a chef
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Where do the vendors I use get the ingredients from? Let’s imagine you’re a chef
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter End-to-End transparency TRUST Traceability What matters for ingredients?
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Where do my ingredients come from?
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • Identify what’s in a package • Identify who’s using it • Identify where it’s stored Why do we care about traceability?
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • Versions are tags, and are dynamic and mutable • Latest is not always really latest Docker makes things a little tricky my-image:5.0 OS layer 1.0 Framework layer 2.0 Application layer 2.0 OS layer 1.1 Framework layer 2.1 Application layer 2.1
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • It let’s you pull code and dependencies into production systems • It let’s you update databases or call external services with POST data Docker makes things a little tricky
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Let’s do a quick poll (Question 1) Who is using Open Source tech? Yes No
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Let’s do a quick poll (Question 2) Do you have influence over which tools your company uses? Yes No
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter If you said ”yes” to question 2, you’re not alone… 71% of developers have some influence in software choices Source: State of the Developer Nation, 15th edition
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter 98% of developers use Open Source tools at work 96% of commercial apps embed Open Source 79% of businesses use Open Source for key systems If you said ”yes” to question 1, you’re definitely not alone…
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Trust, but verify… Do you trust your colleagues? I hope the answer is yes
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Trust is built with consistency Do you trust the rest of the world?
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter End-to-End transparency TRUST Traceability What matters for ingredients libraries?
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter I think it is safe to say that… Having trust in where your ingredients come from and who made them is important in both making cheesecake and software
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Protecting your recipes
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter 35 licenses • 13 require you to publish product sources • 4 allow users to ask for sources on hosted software Open source licenses Source: https://choosealicense.com/appendix/
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Source code Recipes in software Developers programming in DevSecOps environments fix 11x faster than other developers
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter “Security is your friend! Seriously! Developers are the true sentries of product security, as not introducing accidental weaknesses in the first place is always much better than even the fastest hotfix process later on. DevSecOps practices that make developers into security champions”
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter So lets look at some of that in action… Yes, I’ll use JFrog software but it’s equally applicable to other software vendors & products too J
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Common faults • Input Validation • Memory Corruption • Numeric Errors • Cryptographic Issues But what about • Hardcoded Passwords, • Missing Validation • Backdoors • Data Anomalies Recipes in software: things to watch for @LeonStigter | Copyright © 2019 JFrog. All Rights Reserved
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Immutability and repeatability The best way to guarantee issues is force push Immutable dependencies Who doesn’t remember left-pad with Node.js? Lost Dependencies Do you trust your suppliers enough? Internet Issues
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Where should we inject security?
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • aims to embed security in every part of the application lifecycle – run time, build time and even development time. • means developing more secure applications faster refusing to accept that the two (secure & fast) are mutually exclusive! At the beginning of the process! Shifting left…
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Buildtime, Runtime, and real-time security
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • Treat DevOps as code (automate your processes as much as possible) • Standardize and automate your security and governance processes • Get insights into your end-to-end process (visibility and transparency) Devsecops do’s
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • Have developers write and maintain scripts for DevOps • Think that all current tools and processes will magically work when moving to cloud or containers • Believe that a single vendor has all tools you need • Think that security is someone else’s problem • Think that a firewall is more than adequate security Devsecops don’ts
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Trusting your ingredients Trusting your suppliers Transparency in your process recap
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • https://jfrog.com/shownotes • @JFrog • #DevSecOps / #DevOps • @LeonStigter Twitter, ads, and Q&a
@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Thank you! Stay safe!

Recomendados

Waste Driven Development - Agile Coaching Serbia Meetup
Waste Driven Development - Agile Coaching Serbia MeetupWaste Driven Development - Agile Coaching Serbia Meetup
Waste Driven Development - Agile Coaching Serbia Meetup
Lemi Orhan Ergin
 
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Black Duck by Synopsys
 
10 Faulty Behaviors of Code Review - Developer Summit Istanbul 2018
10 Faulty Behaviors of Code Review - Developer Summit Istanbul 201810 Faulty Behaviors of Code Review - Developer Summit Istanbul 2018
10 Faulty Behaviors of Code Review - Developer Summit Istanbul 2018
Lemi Orhan Ergin
 
Irresponsible Disclosure: Short Handbook of an Ethical Developer
Irresponsible Disclosure: Short Handbook of an Ethical DeveloperIrresponsible Disclosure: Short Handbook of an Ethical Developer
Irresponsible Disclosure: Short Handbook of an Ethical Developer
Lemi Orhan Ergin
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code Forensics
TechWell
 
Unwritten Manual for Pair Programming
Unwritten Manual for Pair ProgrammingUnwritten Manual for Pair Programming
Unwritten Manual for Pair Programming
Lemi Orhan Ergin
 
A Study of the Characteristics of Developers′ Activities in GitHub
A Study of the Characteristics of Developers′ Activities in GitHubA Study of the Characteristics of Developers′ Activities in GitHub
A Study of the Characteristics of Developers′ Activities in GitHub
奈良先端大 情報科学研究科
 
How to Become a Conference Speaker
How to Become a Conference SpeakerHow to Become a Conference Speaker
How to Become a Conference Speaker
Sven Peters
 

Recomendados

Waste Driven Development - Agile Coaching Serbia Meetup
Waste Driven Development - Agile Coaching Serbia MeetupWaste Driven Development - Agile Coaching Serbia Meetup
Waste Driven Development - Agile Coaching Serbia Meetup
Lemi Orhan Ergin
 
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Black Duck by Synopsys
 
10 Faulty Behaviors of Code Review - Developer Summit Istanbul 2018
10 Faulty Behaviors of Code Review - Developer Summit Istanbul 201810 Faulty Behaviors of Code Review - Developer Summit Istanbul 2018
10 Faulty Behaviors of Code Review - Developer Summit Istanbul 2018
Lemi Orhan Ergin
 
Irresponsible Disclosure: Short Handbook of an Ethical Developer
Irresponsible Disclosure: Short Handbook of an Ethical DeveloperIrresponsible Disclosure: Short Handbook of an Ethical Developer
Irresponsible Disclosure: Short Handbook of an Ethical Developer
Lemi Orhan Ergin
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code Forensics
TechWell
 
Unwritten Manual for Pair Programming
Unwritten Manual for Pair ProgrammingUnwritten Manual for Pair Programming
Unwritten Manual for Pair Programming
Lemi Orhan Ergin
 
A Study of the Characteristics of Developers′ Activities in GitHub
A Study of the Characteristics of Developers′ Activities in GitHubA Study of the Characteristics of Developers′ Activities in GitHub
A Study of the Characteristics of Developers′ Activities in GitHub
奈良先端大 情報科学研究科
 
How to Become a Conference Speaker
How to Become a Conference SpeakerHow to Become a Conference Speaker
How to Become a Conference Speaker
Sven Peters
 
Clean Software Design: The Practices to Make The Design Simple
Clean Software Design: The Practices to Make The Design SimpleClean Software Design: The Practices to Make The Design Simple
Clean Software Design: The Practices to Make The Design Simple
Lemi Orhan Ergin
 
Tizen 2.0 overview
Tizen 2.0 overviewTizen 2.0 overview
Tizen 2.0 overview
Naruto TAKAHASHI
 
Dfc2043 operating system; open & closed source systems
Dfc2043 operating system; open & closed source systemsDfc2043 operating system; open & closed source systems
Dfc2043 operating system; open & closed source systems
FlameDimension95
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
 
Stack overflow code_laundering
Stack overflow code_launderingStack overflow code_laundering
Stack overflow code_laundering
Foutse Khomh
 
Is My App Secure ?
Is My App Secure ? Is My App Secure ?
Is My App Secure ?
Herman Duarte
 
The Seven Deadly Coding Sins Slides
The Seven Deadly Coding Sins SlidesThe Seven Deadly Coding Sins Slides
The Seven Deadly Coding Sins Slides
mobiledevnj
 
ICSE 2019 - PIVOT: Learning API-Device Correlations to Facilitate Android Com...
ICSE 2019 - PIVOT: Learning API-Device Correlations to Facilitate Android Com...ICSE 2019 - PIVOT: Learning API-Device Correlations to Facilitate Android Com...
ICSE 2019 - PIVOT: Learning API-Device Correlations to Facilitate Android Com...
Lili Wei
 
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroidDELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
Mahmoud Hammad
 
Android to TIZEN conversion service
Android to TIZEN conversion serviceAndroid to TIZEN conversion service
Android to TIZEN conversion service
Hyeokgon Ryu
 
How to write maintainable code - Peter Hilton - Codemotion Amsterdam 2017
How to write maintainable code - Peter Hilton - Codemotion Amsterdam 2017How to write maintainable code - Peter Hilton - Codemotion Amsterdam 2017
How to write maintainable code - Peter Hilton - Codemotion Amsterdam 2017
Codemotion
 
A beginner's guide for Java.pptx
A beginner's guide for Java.pptxA beginner's guide for Java.pptx
A beginner's guide for Java.pptx
GautamKumar163048
 
Disruptive Product Positioning with A/B Testing
Disruptive Product Positioning with A/B TestingDisruptive Product Positioning with A/B Testing
Disruptive Product Positioning with A/B Testing
Optimizely
 
Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stack
Héctor Eryx Paredes Camacho
 
ESE 2010: Using Git in Eclipse
ESE 2010: Using Git in EclipseESE 2010: Using Git in Eclipse
ESE 2010: Using Git in Eclipse
Chris Aniszczyk
 
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
Lili Wei
 
Getting Started with IntelliJ IDEA as an Eclipse User
Getting Started with IntelliJ IDEA as an Eclipse UserGetting Started with IntelliJ IDEA as an Eclipse User
Getting Started with IntelliJ IDEA as an Eclipse User
ZeroTurnaround
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Kevin Moran
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Building a Kubernetes Powered Central Go Modules Repository
Building a Kubernetes Powered Central Go Modules RepositoryBuilding a Kubernetes Powered Central Go Modules Repository
Building a Kubernetes Powered Central Go Modules Repository
Leon Stigter
 
Refactoring to Modules - Why, How and Everything Else I Can Fit In 45 Minutes…
Refactoring to Modules - Why, How and Everything Else I Can Fit In 45 Minutes… Refactoring to Modules - Why, How and Everything Else I Can Fit In 45 Minutes…
Refactoring to Modules - Why, How and Everything Else I Can Fit In 45 Minutes…
Leon Stigter
 

Mais conteúdo relacionado

Mais procurados

Stack overflow code_laundering
Stack overflow code_launderingStack overflow code_laundering
Stack overflow code_laundering
Foutse Khomh
 
The Seven Deadly Coding Sins Slides
The Seven Deadly Coding Sins SlidesThe Seven Deadly Coding Sins Slides
The Seven Deadly Coding Sins Slides
mobiledevnj
 
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroidDELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
Mahmoud Hammad
 
Android to TIZEN conversion service
Android to TIZEN conversion serviceAndroid to TIZEN conversion service
Android to TIZEN conversion service
Hyeokgon Ryu
 
Disruptive Product Positioning with A/B Testing
Disruptive Product Positioning with A/B TestingDisruptive Product Positioning with A/B Testing
Disruptive Product Positioning with A/B Testing
Optimizely
 
Getting Started with IntelliJ IDEA as an Eclipse User
Getting Started with IntelliJ IDEA as an Eclipse UserGetting Started with IntelliJ IDEA as an Eclipse User
Getting Started with IntelliJ IDEA as an Eclipse User
ZeroTurnaround
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Kevin Moran
 

Mais procurados (20)

Clean Software Design: The Practices to Make The Design Simple
Clean Software Design: The Practices to Make The Design SimpleClean Software Design: The Practices to Make The Design Simple
Clean Software Design: The Practices to Make The Design Simple
 
Tizen 2.0 overview
Tizen 2.0 overviewTizen 2.0 overview
Tizen 2.0 overview
 
Dfc2043 operating system; open & closed source systems
Dfc2043 operating system; open & closed source systemsDfc2043 operating system; open & closed source systems
Dfc2043 operating system; open & closed source systems
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
 
Stack overflow code_laundering
Stack overflow code_launderingStack overflow code_laundering
Stack overflow code_laundering
 
Is My App Secure ?
Is My App Secure ? Is My App Secure ?
Is My App Secure ?
 
The Seven Deadly Coding Sins Slides
The Seven Deadly Coding Sins SlidesThe Seven Deadly Coding Sins Slides
The Seven Deadly Coding Sins Slides
 
ICSE 2019 - PIVOT: Learning API-Device Correlations to Facilitate Android Com...
ICSE 2019 - PIVOT: Learning API-Device Correlations to Facilitate Android Com...ICSE 2019 - PIVOT: Learning API-Device Correlations to Facilitate Android Com...
ICSE 2019 - PIVOT: Learning API-Device Correlations to Facilitate Android Com...
 
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroidDELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
 
Android to TIZEN conversion service
Android to TIZEN conversion serviceAndroid to TIZEN conversion service
Android to TIZEN conversion service
 
How to write maintainable code - Peter Hilton - Codemotion Amsterdam 2017
How to write maintainable code - Peter Hilton - Codemotion Amsterdam 2017How to write maintainable code - Peter Hilton - Codemotion Amsterdam 2017
How to write maintainable code - Peter Hilton - Codemotion Amsterdam 2017
 
A beginner's guide for Java.pptx
A beginner's guide for Java.pptxA beginner's guide for Java.pptx
A beginner's guide for Java.pptx
 
Disruptive Product Positioning with A/B Testing
Disruptive Product Positioning with A/B TestingDisruptive Product Positioning with A/B Testing
Disruptive Product Positioning with A/B Testing
 
Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stack
 
ESE 2010: Using Git in Eclipse
ESE 2010: Using Git in EclipseESE 2010: Using Git in Eclipse
ESE 2010: Using Git in Eclipse
 
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
ASE 2016 Taming Android Fragmentation: Characterizing and Detecting Compatibi...
 
Getting Started with IntelliJ IDEA as an Eclipse User
Getting Started with IntelliJ IDEA as an Eclipse UserGetting Started with IntelliJ IDEA as an Eclipse User
Getting Started with IntelliJ IDEA as an Eclipse User
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
 
Android security
Android securityAndroid security
Android security
 
Android Security
Android SecurityAndroid Security
Android Security
 

Semelhante a Trusting Your Ingredients - What Building Software And Cheesecake Have In Common

Continuous delivery of embedded systems embedded meetup
Continuous delivery of embedded systems embedded meetupContinuous delivery of embedded systems embedded meetup
Continuous delivery of embedded systems embedded meetup
Mike Long
 

Semelhante a Trusting Your Ingredients - What Building Software And Cheesecake Have In Common (20)

Building a Kubernetes Powered Central Go Modules Repository
Building a Kubernetes Powered Central Go Modules RepositoryBuilding a Kubernetes Powered Central Go Modules Repository
Building a Kubernetes Powered Central Go Modules Repository
 
Refactoring to Modules - Why, How and Everything Else I Can Fit In 45 Minutes…
Refactoring to Modules - Why, How and Everything Else I Can Fit In 45 Minutes… Refactoring to Modules - Why, How and Everything Else I Can Fit In 45 Minutes…
Refactoring to Modules - Why, How and Everything Else I Can Fit In 45 Minutes…
 
Refactoring to Modules - Why, How and Everything Else I Can Fit In 45 Minutes…
Refactoring to Modules - Why, How and Everything Else I Can Fit In 45 Minutes…Refactoring to Modules - Why, How and Everything Else I Can Fit In 45 Minutes…
Refactoring to Modules - Why, How and Everything Else I Can Fit In 45 Minutes…
 
Where did my modules GO? Building and deploying Go Apps w/ GoCenter & Codefresh
Where did my modules GO? Building and deploying Go Apps w/ GoCenter & CodefreshWhere did my modules GO? Building and deploying Go Apps w/ GoCenter & Codefresh
Where did my modules GO? Building and deploying Go Apps w/ GoCenter & Codefresh
 
5 Years of Jenkins and DevOps Trends and What That Means For the Future of t...
5 Years of Jenkins and DevOps Trends and What That Means For the Future of t...5 Years of Jenkins and DevOps Trends and What That Means For the Future of t...
5 Years of Jenkins and DevOps Trends and What That Means For the Future of t...
 
Refactoring to GO modules
Refactoring to GO modulesRefactoring to GO modules
Refactoring to GO modules
 
Continuous delivery of embedded systems embedded meetup
Continuous delivery of embedded systems embedded meetupContinuous delivery of embedded systems embedded meetup
Continuous delivery of embedded systems embedded meetup
 
Refactoring to Go modules: why and how
Refactoring to Go modules: why and howRefactoring to Go modules: why and how
Refactoring to Go modules: why and how
 
Data Driven DevOps
Data Driven DevOpsData Driven DevOps
Data Driven DevOps
 
Project Flogo: Serverless Integration, Powered by Flogo and Lambda
Project Flogo: Serverless Integration, Powered by Flogo and LambdaProject Flogo: Serverless Integration, Powered by Flogo and Lambda
Project Flogo: Serverless Integration, Powered by Flogo and Lambda
 
Over-Engineering: Causes, Symptoms, and Treatment
Over-Engineering: Causes, Symptoms, and TreatmentOver-Engineering: Causes, Symptoms, and Treatment
Over-Engineering: Causes, Symptoms, and Treatment
 
Open Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfOpen Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdf
 
DevOpsGuys FutureDecoded 2016 - is DevOps the Answer
DevOpsGuys FutureDecoded 2016 - is DevOps the AnswerDevOpsGuys FutureDecoded 2016 - is DevOps the Answer
DevOpsGuys FutureDecoded 2016 - is DevOps the Answer
 
Step away from that knife!
Step away from that knife!Step away from that knife!
Step away from that knife!
 
Designing a secure software development process with DevOps
Designing a secure software development process with DevOpsDesigning a secure software development process with DevOps
Designing a secure software development process with DevOps
 
DevOpsDays Houston 2019 -Kevin Crawley - Practical Guide to Not Building Anot...
DevOpsDays Houston 2019 -Kevin Crawley - Practical Guide to Not Building Anot...DevOpsDays Houston 2019 -Kevin Crawley - Practical Guide to Not Building Anot...
DevOpsDays Houston 2019 -Kevin Crawley - Practical Guide to Not Building Anot...
 
DevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratchDevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratch
 
Improving the developer experience on OpenShift - devconf-india-18
Improving the developer experience on OpenShift - devconf-india-18Improving the developer experience on OpenShift - devconf-india-18
Improving the developer experience on OpenShift - devconf-india-18
 
BrainQuest-DevOps
BrainQuest-DevOpsBrainQuest-DevOps
BrainQuest-DevOps
 
DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!
 

Mais de Leon Stigter

Building Event-Driven Workflows with Knative and Tekton
Building Event-Driven Workflows with Knative and TektonBuilding Event-Driven Workflows with Knative and Tekton
Building Event-Driven Workflows with Knative and Tekton
Leon Stigter
 
Trusting Your Ingredients @DevOpsDays Columbus 2019
Trusting Your Ingredients @DevOpsDays Columbus 2019Trusting Your Ingredients @DevOpsDays Columbus 2019
Trusting Your Ingredients @DevOpsDays Columbus 2019
Leon Stigter
 

Mais de Leon Stigter (14)

Thinking Stateful Serverless
Thinking Stateful ServerlessThinking Stateful Serverless
Thinking Stateful Serverless
 
Test driving event-driven apps on kubernetes with kind, tekton, and knative
Test driving event-driven apps on kubernetes with kind, tekton, and knativeTest driving event-driven apps on kubernetes with kind, tekton, and knative
Test driving event-driven apps on kubernetes with kind, tekton, and knative
 
Building Event-Driven Workflows with Knative and Tekton
Building Event-Driven Workflows with Knative and TektonBuilding Event-Driven Workflows with Knative and Tekton
Building Event-Driven Workflows with Knative and Tekton
 
Data Driven Decisions in DevOps
Data Driven Decisions in DevOpsData Driven Decisions in DevOps
Data Driven Decisions in DevOps
 
Every Talk Has To Be Unique @ DevRel Meetup
Every Talk Has To Be Unique @ DevRel Meetup Every Talk Has To Be Unique @ DevRel Meetup
Every Talk Has To Be Unique @ DevRel Meetup
 
Continuous Verification in a Serverless World
Continuous Verification in a Serverless WorldContinuous Verification in a Serverless World
Continuous Verification in a Serverless World
 
Continuous Verification in a Serverless World
Continuous Verification in a Serverless WorldContinuous Verification in a Serverless World
Continuous Verification in a Serverless World
 
Trusting Your Ingredients @DevOpsDays Columbus 2019
Trusting Your Ingredients @DevOpsDays Columbus 2019Trusting Your Ingredients @DevOpsDays Columbus 2019
Trusting Your Ingredients @DevOpsDays Columbus 2019
 
Persistence is futile (or is it?) - How to Manage, Version, and Promote Docke...
Persistence is futile (or is it?) - How to Manage, Version, and Promote Docke...Persistence is futile (or is it?) - How to Manage, Version, and Promote Docke...
Persistence is futile (or is it?) - How to Manage, Version, and Promote Docke...
 
DevOps Theory vs. Practice: A Song of Ice and Tire Fire
DevOps Theory vs. Practice: A Song of Ice and Tire FireDevOps Theory vs. Practice: A Song of Ice and Tire Fire
DevOps Theory vs. Practice: A Song of Ice and Tire Fire
 
The Art of Deploying Artifacts to Production With Confidence
The Art of Deploying Artifacts to Production With ConfidenceThe Art of Deploying Artifacts to Production With Confidence
The Art of Deploying Artifacts to Production With Confidence
 
Project Flogo: An Event-Driven Stack for the Enterprise
Project Flogo: An Event-Driven Stack for the EnterpriseProject Flogo: An Event-Driven Stack for the Enterprise
Project Flogo: An Event-Driven Stack for the Enterprise
 
The Road to a Cloud-First Enterprise
The Road to a Cloud-First EnterpriseThe Road to a Cloud-First Enterprise
The Road to a Cloud-First Enterprise
 
Building serverless apps with Go & SAM
Building serverless apps with Go & SAMBuilding serverless apps with Go & SAM
Building serverless apps with Go & SAM
 

Último

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 

Último (20)

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 

Trusting Your Ingredients - What Building Software And Cheesecake Have In Common

  • 1. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Trusting Your Ingredients What Building Software And Cheesecake Have In Common
  • 2. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter A big thanks to our hosts of today
  • 3. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter https://jfrog.com/shownotes shownotes Slides Links Comments & Ratings Raffle
  • 4. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Who am I? • Developer Advocate • Passionate about Serverless, Containers, and all things Cloud • I love dadjokes, cheesecake and Go @LeonStigter Leon Stigter, Developer Advocate
  • 5. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • A giant cybersecurity breach compromised the personal information of as many as 143 million Americans • An attacker could exploit “this” by using a malicious tar binary to write files to any path on the target machine whenever Let’s play a game! Which project is this…
  • 6. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors. - Leon Bambrick
  • 7. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter What is devops?
  • 8. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter What is devsecops?
  • 9. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter What is devsecops SECURITY The philosophy of integrating security practices within the DevOps process. #SecurityFirst culture! How? Introducing security earlier in the life cycle of application development
  • 10. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter P Protocols, like zero-trust, to implement in your pipelines The three P’s of devsecops
  • 11. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter P Protocols, like zero-trust, to implement in your pipelines (what) Processes, dictating how to add security to DevOps The three P’s of devsecops
  • 12. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter P Protocols, like zero-trust, to implement in your pipelines (what) Processes, dictating how to add security to DevOps Philosophy, of shared ownership and cooperation between the teams (why) The three P’s of devsecops Source: https://www.infoq.com/articles/evolve-devops-devsecops/
  • 13. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Who cares about security anyway? ¯_(ツ)_/¯
  • 14. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Q1 2019 • More than 1900 incidents (up by 56.4%) • Close to 2B records exposed (up by 28.9%) Well, lets talk about numbers
  • 15. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Q1 2019 • 3 breaches with 100M+ records • Business sector is targeted in 85.6% • Hacks are 84.8% of breaches Let’s make it slightly worse
  • 16. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter My personal favorite “14.7% of breached organizations were unwilling or unable to disclose the number of records exposed.”
  • 17. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Let’s welcome on stage our main characters Making a cheesecake Building an app Ingredients Libraries (Jars, Modules, Gems…) Recipe Source code Kitchen stuff (whisk, bowl, spatula) Dev tools (editor, cli tools, vcs) Appliances (oven, fridge) Build tools (CI/CD server) Fork Runtime
  • 18. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Will subpar ingredients get me the best cheesecake? Let’s imagine you’re a chef
  • 19. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Where do the vendors I use get the ingredients from? Let’s imagine you’re a chef
  • 20. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter End-to-End transparency TRUST Traceability What matters for ingredients?
  • 21. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Where do my ingredients come from?
  • 22. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • Identify what’s in a package • Identify who’s using it • Identify where it’s stored Why do we care about traceability?
  • 23. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • Versions are tags, and are dynamic and mutable • Latest is not always really latest Docker makes things a little tricky my-image:5.0 OS layer 1.0 Framework layer 2.0 Application layer 2.0 OS layer 1.1 Framework layer 2.1 Application layer 2.1
  • 24. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • It let’s you pull code and dependencies into production systems • It let’s you update databases or call external services with POST data Docker makes things a little tricky
  • 25. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Let’s do a quick poll (Question 1) Who is using Open Source tech? Yes No
  • 26. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Let’s do a quick poll (Question 2) Do you have influence over which tools your company uses? Yes No
  • 27. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter If you said ”yes” to question 2, you’re not alone… 71% of developers have some influence in software choices Source: State of the Developer Nation, 15th edition
  • 28. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter 98% of developers use Open Source tools at work 96% of commercial apps embed Open Source 79% of businesses use Open Source for key systems If you said ”yes” to question 1, you’re definitely not alone…
  • 29. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Trust, but verify… Do you trust your colleagues? I hope the answer is yes
  • 30. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Trust is built with consistency Do you trust the rest of the world?
  • 31. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter End-to-End transparency TRUST Traceability What matters for ingredients libraries?
  • 32. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter I think it is safe to say that… Having trust in where your ingredients come from and who made them is important in both making cheesecake and software
  • 33. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Protecting your recipes
  • 34. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter 35 licenses • 13 require you to publish product sources • 4 allow users to ask for sources on hosted software Open source licenses Source: https://choosealicense.com/appendix/
  • 35. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Source code Recipes in software Developers programming in DevSecOps environments fix 11x faster than other developers
  • 36. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter “Security is your friend! Seriously! Developers are the true sentries of product security, as not introducing accidental weaknesses in the first place is always much better than even the fastest hotfix process later on. DevSecOps practices that make developers into security champions”
  • 37. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter So lets look at some of that in action… Yes, I’ll use JFrog software but it’s equally applicable to other software vendors & products too J
  • 38. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Common faults • Input Validation • Memory Corruption • Numeric Errors • Cryptographic Issues But what about • Hardcoded Passwords, • Missing Validation • Backdoors • Data Anomalies Recipes in software: things to watch for @LeonStigter | Copyright © 2019 JFrog. All Rights Reserved
  • 39. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Immutability and repeatability The best way to guarantee issues is force push Immutable dependencies Who doesn’t remember left-pad with Node.js? Lost Dependencies Do you trust your suppliers enough? Internet Issues
  • 40. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Where should we inject security?
  • 41. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • aims to embed security in every part of the application lifecycle – run time, build time and even development time. • means developing more secure applications faster refusing to accept that the two (secure & fast) are mutually exclusive! At the beginning of the process! Shifting left…
  • 42. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Buildtime, Runtime, and real-time security
  • 43. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • Treat DevOps as code (automate your processes as much as possible) • Standardize and automate your security and governance processes • Get insights into your end-to-end process (visibility and transparency) Devsecops do’s
  • 44. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • Have developers write and maintain scripts for DevOps • Think that all current tools and processes will magically work when moving to cloud or containers • Believe that a single vendor has all tools you need • Think that security is someone else’s problem • Think that a firewall is more than adequate security Devsecops don’ts
  • 45. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Trusting your ingredients Trusting your suppliers Transparency in your process recap
  • 46. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter • https://jfrog.com/shownotes • @JFrog • #DevSecOps / #DevOps • @LeonStigter Twitter, ads, and Q&a
  • 47. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter Thank you! Stay safe!