Security in agile teams

•

2 gostaram•244 visualizações

I gave this short talk in a meetup in Barcelona with Martin Fowler (https://youtu.be/14-knxKyJCw?t=1h21m5s) Every day, new security breaches are breaking headlines. Building secure applications is difficult, as vulnerabilities can be hard to predict. However, there are things we can do to make them more resilient. In this short talk, I point to a few best security practices and how to incorporate them into our agile teams.

Tecnologia

D o u b l e - c l i c k t o e d i t
SECURITY IN AGILE TEAMS
Maria Gomez
@mariascandella
Barcelona June 2017

Developer
Architect
Coach
Tech lead
Speaker
Security Expert

With great power
comes great responsibility
“
— uncle Ben
https://ﬂic.kr/p/5UDwbm

BENEFITS
• Higher conﬁdence
• Evolutionary model
• Better testing and planning
• Faster reaction to making improvements or ﬁxes

WHAT’S THE CURRENT STATE?
• List of existing systems/applications as well as their users.
• Review of past incidents/attacks
• Review of existing security policies and how they will impact
the scope of the project

WHAT IS THE CURRENT THREAT LANDSCAPE?
https://www.owasp.org/index.php/Application_Threat_Modeling

SECURITY CHECKLIST
• Secret Management tool for the team
• Password Manager
• Keep secrets out of source control
• Dependency checker for the CI/CD pipeline
• Static analysis tools
Cade Cairns - Security Playbook (https://github.com/cairnsc/security-playbook)

READY FOR DEV
• Identify security requirements
• Introduce acceptance criteria
Given an unauthenticated user enters the system
When she tries to view her proﬁle
Then she is redirected to the login page
#0

IN QA
The system meets the acceptance criteria
CFRs have been taken into account and implemented as part of the
story, if necessary
Established code conventions have been met
Check against attack trees

CONTINUOUS IMPROVEMENT
Given an unauthenticated user enters the
system
When she tries to view her proﬁle
Then she is redirected to the login page
#

REFERENCES
https://www.thoughtworks.com/insights/blog/incorporating-security-best-
practices-agile-teams
https://github.com/cairnsc/security-playbook
https://martinfowler.com/articles/web-security-basics.html
https://www.owasp.org/index.php/Main_Page

Mais conteúdo relacionado

Mais procurados

Mobile Application Security Threats through the Eyes of the Attacker

bugcrowd

The path of secure software by Katy Anton

DevSecCon

Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh

Napier University

Getting to Know Security and Devs: Keys to Successful DevSecOps

Franklin Mosley

Outpost24 Webinar - Creating a sustainable application security program to dr...

Outpost24

Top 5 Data Security Strategies in QA

QASource

Cybersecurity is the Future of Computing

David Fry

Secure Software Development Lifecycle - Devoxx MA 2018

Imola Informatica

DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca

DevSecCon

Chris Eng Why does it take so long to fix insecure code? We pair new data about the lifecycle of a vulnerability with learnings from application security programs to answer this perennial question. This analysis is not based on a survey – it's real data from real application scans. The data set contains 85,000 unique applications and 1.4 million individual assessments over a 12-month period, easily the largest application security data set of its size. Chris will describe the analysis process and some of the techniques, such as survival analysis, that were applied to the data set in order to measure and visualize outcomes. We'll focus specifically on identifying the factors that correlate most strongly (or not at all!) with fix rates. Finally, we'll provide data-backed insights on the contentious question of whether DevOps practices are a boon or a burden for security.

BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...

BlueHat Security Conference

Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey

North Texas Chapter of the ISSA

Building Security Controls around Attack Models

SeniorStoryteller

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

bugcrowd

Container images are based on many direct and indirect open source dependencies, which most developers are not aware of. What are the security implications of only seeing the tip of the iceberg? What are the challenges one faces when relying so heavily on open source? And how can teams overcome these? Join Codefresh and WhiteSource, as they embark on a journey to tackle: The container iceberg - learn what are your blind spots The main security challenges when using open source in containerized applications The role of automation in open source security in containers A live demo showing how WhiteSource & Codefresh can allow you to automate open source security in containers throughout the DevOps pipeline

Tackling the Container Iceberg:How to approach security when most of your sof...

WhiteSource

Perforce on Tour 2015 - How are You Protecting Your Source Code?

Perforce

Outpost24 Webinar - Five steps to build a killer Application Security Program

Outpost24

Chaos monitoring

Mona Arkhipova

James Brown, Director of Cloud Computing & Security Architecture, Alert Logic covers: • The shared security model: what security you are responsible for to protect your content, applications, systems and networks vs AWS. • Overview of the OWASP Top 10 most critical web application security risks (such as SQL injections) • Best practices for how to protect your environment from the latest threats

Journey to the Cloud: Securing Your AWS Applications - April 2015

Alert Logic

Systematically combine network data and intelligence sources to create a working model of the attack surface. Perform attack simulation to easily identify weak points in your defenses. Target vulnerability concentrations with streamlined actions and fix risky firewall rules and changes with automated risk assessment. With comprehensive network data at your fingertips, SOC analysts and incident response teams can achieve same-day response to cyber attacks. Take your enterprise network security to the next level. Prevent, analyze, and respond to cyber attacks in real time.

A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...

Skybox Security

Estimating Development Security Maturity in About an Hour

Priyanka Aash

Mais procurados (20)

Mobile Application Security Threats through the Eyes of the Attacker

The path of secure software by Katy Anton

Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh

Getting to Know Security and Devs: Keys to Successful DevSecOps

Outpost24 Webinar - Creating a sustainable application security program to dr...

Top 5 Data Security Strategies in QA

Cybersecurity is the Future of Computing

Secure Software Development Lifecycle - Devoxx MA 2018

DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca

BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...

Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey

Building Security Controls around Attack Models

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

Tackling the Container Iceberg:How to approach security when most of your sof...

Perforce on Tour 2015 - How are You Protecting Your Source Code?

Outpost24 Webinar - Five steps to build a killer Application Security Program

Chaos monitoring

Journey to the Cloud: Securing Your AWS Applications - April 2015

A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...

Estimating Development Security Maturity in About an Hour

Semelhante a Security in agile teams

The New Security Practitioner

Adrian Sanabria

Legacy-SecDevOps (AppSec Management Debrief)

Dinis Cruz

This talk will argue that DevOps methodologies can be applied to traditional application security practices. Only when developers and operations team members are enabled to make security a part of their everyday work will an organization's security culture change. We must meet security at the sweet spot between running a marathon and sprinting towards a software deployment. So put on your running shoes; it’s time for Dev{Sec}Ops!

Product Security

Steven Carlson

Essentials of Project Management

Living Online

As presented at the Bay Area Cyber Security Meetup on January 25th, 2018. Open source development paradigms have become the norm for most software development. This is regardless of whether you're making the next great IoT device, a new container microservice, or desktop application. While open source components are often viewed as free, and definately help solve problems in a scalable way, using them in a secure manner requires an understanding of how open source development really works. In this sesssion, I covered how secure development practices with data center regulations can benefit from an understanding of open source development. Specifically, we looked at fork management, community engagement and patch management. We ended with an open source maturity model.

A question of trust - understanding Open Source risks

Tim Mackey

We expect more automation, integration, and online activity in the foreseeable future resulting in more cybersecurity risks and issues. Therefore, organisations and individuals are spending more resources on cybersecurity projects to implement, maintain and optimise the confidentiality, integrity, and availability of their digital services and data. The demand for cybersecurity projects and expertise is growing; it is a great time to learn about cybersecurity project management. Cybersecurity is complex and aligning it to a multitude of international standards can be problematic. In Dr. Greg Skulmoski’s presentation, attendees will be introduced to a project management approach that combines standards and is tailored to cybersecurity projects. PRINCE2, the Guide to the Project Management Body of Knowledge, NIST Cybersecurity Framework, ITIL Service Management, ISO Risk Management, ISO Quality Management, and ISO Information Security Standards are aligned into a project delivery approach applicable to most cybersecurity projects, most of the time. The attendees will also learn about a risk management technique not in the PMBOK® Guide that they can use on their projects tomorrow! Speaker Greg Skulmoski is an award-winning project manager having led critical infrastructure projects in Australia, Middle East, and Canada. Greg’s innovative use of project management tools and processes won the CISO 2017 Middle East Security Award (for risk management in projects). Later, Greg was one of the project managers for the Smartphone-Connected Pacemaker Devices program that placed third in Cleveland Clinic’s Top 10 Medical Innovations for 2021. Dr. Skulmoski currently teaches risk management and project innovation management at Bond University in the Faculty of Society and Design, in Australia. Greg’s teaching focus is on using practical processes and tools to successfully implement projects, including digital transformation and metaverse projects. Greg’s critically acclaimed book – Shields Up: Cybersecurity Project Management. Greg is writing Cybersecurity Readiness: A Project Management Approach to Training that provides a lean approach to cybersecurity general awareness and role-based training scheduled for publication in 2023.

Shields Up Presentation.pdf

PMIUKChapter

Application Security from the Inside Out

Ulisses Albuquerque

Security Culture from Concept to Maintenance: Secure Software Development Lif...

Dilum Bandara

AWS live hack: Atlassian + Snyk OSS on AWS

Eric Smalling

DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...

DevSecCon

An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future. Agenda: -DevSecOps Introduction -Key Challenges, Recommendations -DevSecOps Analysis -DevSecOps Core Practices -DevSecOps pipeline for Application & Infrastructure Security -DevSecOps Security Tools Selection Tips -DevSecOps Implementation Strategy -DevSecOps Final Checklist

Introduction to DevSecOps

Setu Parimi

"Adapt what is useful, reject what is useless, and add what is specifically your own." -Bruce Lee Full transcript is here, https://www.linkedin.com/pulse/warriors-journey-building-global-appsec-program-owasp-brian-levine This talk covers critical foundations for building a scalable Application Security Program. Drawing on warrior-tested strategies and assurance frameworks such as OWASP SAMM and BSIMM, this session gives actionable guidance on building and advancing a global application security program. Whether you are starting a fledgling security journey or managing a mature SSDLC, these foundational elements are core for achieving continuous security at scale. Brian Levine is Senior Director of Product Security for Axway, an enterprise software company, delivering product solutions and cloud services to global Fortune 500 enterprises and government customers. If you were tasked with building a security program, imagine it's day 1 in your new role as an application security manager, which playbook would you use? There’s an Alphabet Soup of standards to choose from, you have ISO, SOC2, OWASP, NIST, BSIMM, PCI, CSA, and on and on. Is there a script you could follow? And which set of frameworks would you use to get started in the right direction? My talk today is going to draw on this quote and the wisdoms of the martial arts master and philosopher Bruce Lee. Adapt what is useful, reject what is useless, and add what is specifically your own. So, in that spirit I’m going to draw on my own experience with some of these frameworks and guidelines and cover the core foundational components that I feel have led to my success and I hope will help you get started. What I’m hoping you’ll get out of this talk are some strategies and tactics that you can use to develop and improve your program. [Slide 6] What we’re going to cover in these three core areas. We’ll focus on establishing a security Culture, we’ll look at developing and scaling security Processes and we’ll look at Governance for ensuring visibility and executive accountability

A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020

Brian Levine

In this session, you learn pragmatic steps to integrate security controls into DevOps processes in your AWS environment at scale. Cyber security expert and founder of Alert Logic Misha Govshteyn shares insights from high performing teams who are embracing the reality that an agile security program can enable faster and more secure workload deployments. Joining Misha is Joey Peloquin, Director of Cloud Security Operations at Citrix, who discusses Citrix’s DevOps experiences and how they manage their cyber security posture within the AWS Cloud. Session sponsored by Alert Logic

Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017

Amazon Web Services

Threats are evolving and emerging every day. PagerDuty needed to take a more proactive and efficient stance to monitor, investigate and triage threats and maintain their security posture on the AWS Cloud. Splunk’s analytics-driven security solution made it easy for PagerDuty to gain end-to-end visibility across their cloud environment. In this webinar, you’ll learn how PagerDuty gained the end-to-end visibility required to respond quickly and effectively to security threats using Splunk on AWS.

How Splunk and AWS Enabled End-to-End Visibility for PagerDuty and Bolstered ...

Amazon Web Services

Modern development teams are delivering features at a rapid pace using modern technologies such as containers, microservices, and serverless functions. Operations and infrastructure teams are supporting these rapid delivery cycles using Infrastructure as Code, Test Driven Infrastructure (TDI), and cloud automation. Yet, most security teams are still using traditional security approaches and can't keep up with the rate of accelerated change. Security must be reinvented in a DevOps world to take advantage of the opportunities provided by continuous integration and delivery pipelines. In this talk, attendees will take a journey through the DevSecOps Toolchain broken down into the key phases: pre-commit, commit, acceptance, production, and operations. We will explore the pre-commit and commit phases in-depth, identifying security controls, open source tools, and how to integrate these tools into a pipeline. Attendees will walk away with a practical approach for weaponizing the toolchain and building a successful DevSecOps program.

Weaponizing Your DevOps Pipeline

Puma Security, LLC

3830100.ppt

azida3

Your organization has already embraced the DevOps methodology? That’s a great start. But what about security? It’s a fact - many organizations fear that adding security to their DevOps practices will severely slow down their development processes. But this doesn’t need to be the case. Tune in to hear Jeff Martin, Senior Director of Product at WhiteSource, and Anders Wallgren, VP of Technology Strategy at Cloudbees, as they discuss: Why traditional DevOps has shifted, and what this will mean? Who should own security in the age of DevOps? Which tools and strategies are needed to implement continuous security throughout the DevOps pipeline?

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps

DevOps.com

AWS live hack: Docker + Snyk Container on AWS

Eric Smalling

Whether you're a huge enterprise or a small start-up, you can't escape global digitalization. As digital technologies like machine-2-machine communication, device-2-device telematics, connected cars, and the Internet of Things become more integral in today’s world, more threats will appear as hackers use new ways to exploit weaknesses in your organization and products. During SoftServe’s free security webinar, Nazar Tymoshyk will explore the reasons why recent victims of digital attacks couldn’t withstand a threat to their security and share how you can build secure and compliant software with the help of security experts. A real-life case study will demonstrate how SoftServe assessed and mitigated security threats for a top organization.

Digital Product Security

SoftServe

Turning security into code by Jeff Williams

DevSecCon

Semelhante a Security in agile teams (20)

The New Security Practitioner

Legacy-SecDevOps (AppSec Management Debrief)

Product Security

Essentials of Project Management

A question of trust - understanding Open Source risks

Shields Up Presentation.pdf

Application Security from the Inside Out

Security Culture from Concept to Maintenance: Secure Software Development Lif...

AWS live hack: Atlassian + Snyk OSS on AWS

DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...

Introduction to DevSecOps

A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020

Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017

How Splunk and AWS Enabled End-to-End Visibility for PagerDuty and Bolstered ...

Weaponizing Your DevOps Pipeline

3830100.ppt

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps

AWS live hack: Docker + Snyk Container on AWS

Digital Product Security

Turning security into code by Jeff Williams

Mais de Maria Gomez

From Monolith to Observable Microservices using DDD

Maria Gomez

CQRS and Event Sourcing: A DevOps perspective

Maria Gomez

Splitting the monolith using Domain Driven Design

Maria Gomez

Slides from the talk given at O'Reilly Software Architecture conference in London in Oct 2018. Think of this talk as Microservices 201. You know microservices basics and their pros and cons and have maybe even started putting them in production but haven’t spent much time thinking about how to maintain them. Maria Gomez explores the most important operational concerns for maintaining microservices and explains why observability helps you in maintaining a healthy production environment.

Observable Microservices (O'Reilly SACon London 2018)

Maria Gomez

Slides for the talk given in Madrid at the Thoughtworks meetup event with Martin Fowler. Onboarding is a key part of a team’s success and productivity as well as the new joiners’. However, as technologists we sometimes fail to pay enough attention to it, not having a clear approach to it. In this talk, we share different techniques on how to improve the onboarding process. From effectively sharing the vision to improving the time it takes a new engineer to contribute to the team.

Effective team onboarding

Maria Gomez

Slides from my talk at the O'Reilly Software Architecture conference in NY (Feb 2018). Think of this talk as Microservices 201. You know microservices basics and their pros and cons and have maybe even started putting them in production but haven’t spent much time thinking about how to maintain them. Maria Gomez explores the most important operational concerns for maintaining microservices and explains why observability helps you maintain a healthy production environment.

Observable microservices (O'Reilly SACon NY 2018)

Maria Gomez

Observable Microservices

Maria Gomez

Splitting the Monolith

Maria Gomez

Taller de Refactorización (Campus Party Quito 2014)

Maria Gomez

Refactoring workshop (Campus Party Quito 2014)

Maria Gomez

Project Management - Report

Maria Gomez

Principles of New Media - Essay

Maria Gomez

Project Management - Risk management

Maria Gomez

Responsive Environments - MoodMixer Presentation

Maria Gomez

Responsive Environments - Critical report

Maria Gomez

New Media Management - Gantt chart

Maria Gomez

New Media Management - Project plan

Maria Gomez

New Media Management - Presentation

Maria Gomez

New Media Management - Report

Maria Gomez

Mais de Maria Gomez (19)

From Monolith to Observable Microservices using DDD

CQRS and Event Sourcing: A DevOps perspective

Splitting the monolith using Domain Driven Design

Observable Microservices (O'Reilly SACon London 2018)

Effective team onboarding

Observable microservices (O'Reilly SACon NY 2018)

Observable Microservices

Splitting the Monolith

Taller de Refactorización (Campus Party Quito 2014)

Refactoring workshop (Campus Party Quito 2014)

Project Management - Report

Principles of New Media - Essay

Project Management - Risk management

Responsive Environments - MoodMixer Presentation

Responsive Environments - Critical report

New Media Management - Gantt chart

New Media Management - Project plan

New Media Management - Presentation

New Media Management - Report

Último

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

DBX First Quarter 2024 Investor Presentation

Dropbox

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

ICT role in 21st century education and its challenges

rafiqahmad00786416

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.

Platformless Horizons for Digital Adaptability

WSO2

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Security in agile teams

1. D o u b l e - c l i c k t o e d i t SECURITY IN AGILE TEAMS Maria Gomez @mariascandella Barcelona June 2017

2. Developer Architect Coach Tech lead Speaker Security Expert

3. Developer Architect Coach Tech lead Speaker Security Expert

4. With great power comes great responsibility “ — uncle Ben https://ﬂic.kr/p/5UDwbm

5. https://ﬂic.kr/p/c12Ad

6. We could do better

8. BENEFITS • Higher conﬁdence • Evolutionary model • Better testing and planning • Faster reaction to making improvements or ﬁxes

10. INCEPTION

11. WHAT’S THE CURRENT STATE? • List of existing systems/applications as well as their users. • Review of past incidents/attacks • Review of existing security policies and how they will impact the scope of the project

12. WHAT WILL BE BUILT?

13. WHAT IS THE CURRENT THREAT LANDSCAPE? https://www.owasp.org/index.php/Application_Threat_Modeling

14. DELIVERY

15. SECURITY CHECKLIST • Secret Management tool for the team • Password Manager • Keep secrets out of source control • Dependency checker for the CI/CD pipeline • Static analysis tools Cade Cairns - Security Playbook (https://github.com/cairnsc/security-playbook)

16. READY FOR DEV • Identify security requirements • Introduce acceptance criteria Given an unauthenticated user enters the system When she tries to view her proﬁle Then she is redirected to the login page #0

17. IN DEV

18. IN QA The system meets the acceptance criteria CFRs have been taken into account and implemented as part of the story, if necessary Established code conventions have been met Check against attack trees

19. IN PROD Incident Report Plan

20. CONTINUOUS IMPROVEMENT Given an unauthenticated user enters the system When she tries to view her proﬁle Then she is redirected to the login page #

21.

22. REFERENCES https://www.thoughtworks.com/insights/blog/incorporating-security-best- practices-agile-teams https://github.com/cairnsc/security-playbook https://martinfowler.com/articles/web-security-basics.html https://www.owasp.org/index.php/Main_Page

23. @mariascandella THANKS!

Security in agile teams

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Security in agile teams

Semelhante a Security in agile teams (20)

Mais de Maria Gomez

Mais de Maria Gomez (19)

Último

Último (20)

Security in agile teams