Forem: DevSecCon

The perils of configuration security

Brian Vermeer 🧑🏼‍🎓🧑🏼‍💻 — Mon, 16 Mar 2020 12:21:08 +0000

A MyDevSecOps live session from Feb 26, 2020 by Gareth Rushgrove

With the growth of cloud and API-driven infrastructure, came infrastructure as code. This movement shifted the management of configuration from a mainly hidden part of IT, to a larger and more explicit part of software development. If you’re not writing YAML files you’re probably writing tools to write YAML files.

But an incorrectly configured application can have an outsized impact on the common security challenges of confidentiality, integrity and availability.

In this discussion we’ll look at:

Examples of real-world hacks related to configuration issues
The problems found in projects like Kubernetes that have a large configuration surface area
What it looks like to apply application security approaches to infrastructure as code
Demos of tools that are emerging to help test configuration

This session should be of interest to developers and operators struggling with the explosion of configuration as well as security analysts interested in the higher level emerging problem of configuration security.

How to implement DevSecOps across the entire organisation

Brian Vermeer 🧑🏼‍🎓🧑🏼‍💻 — Wed, 26 Feb 2020 13:06:57 +0000

A MyDevSecOps live session from Feb 13, 2020 by Nadira Bejrei

In this session, we will talk about how you can Implementation DevSecOps in the entire organization. The DevSecOps Implementation should cover 4 main things: 1. Culture, 2. Automation, 3. Measurement, 4.Sharing. If your organization only focuses on one of these things then we can't call it DevSecOps. Nadira will help you understand how organizations build culture and implement automation as well as how to measure what you're doing. She'll show you some common collaboration tools for breaking the silos between team members.

Web Application Firewall - Friend of your DevOps pipeline?

Brian Vermeer 🧑🏼‍🎓🧑🏼‍💻 — Wed, 26 Feb 2020 13:01:56 +0000

A MyDevSecOps live session from Jan 30 2020 by Franziska Buehler

Web Application Firewalls (WAF) often raise concern about false positives, latency and other potential production problems. In addition, it is often said, that DevOps and WAF do not fit together. That is a pity since the WAF helps to protect us from web application attacks, like those described by the OWASP Top Ten. But what if you could ensure that introducing and using a WAF went smoothly?

I will show how to integrate a WAF with WAF testing automation into a continuous integration (CI) pipeline. This pipeline ensures that developers receive early and often feedback about their WAF, saves them time and headaches down the line. In fact, DevOps, testing and automation only make sense if all components are part of the process.

Needless to mention, I as an OWASP Core Rule Set (CRS) developer and enthusiast introduced the CRS to Puzzle ITC when I joined them in 2019! By providing YAML templates, we want to make it easy for developers to introduce WAFs into projects.