SlideShare una empresa de Scribd logo

How to Manage the Risk of your Polyglot Environments

DevOps.com
DevOps.com

In this webinar, we’ll explore how to navigate the tension between speed and security when it comes to open source languages. Enterprises are challenged by conflicting interests: Engineering teams want more time to focus on code quality, but product managers want to ship faster. Developers want the best tool for the job, but companies resist adding more technology stacks to their growing tech debt. Retrofitting for security and vulnerabilities after the fact becomes a big blocker for Development and Engineering teams. Enterprises are challenged with resolving new threats and vulnerabilities at the pace at which they crop up. And yet, speed wins over security because faster time-to-market takes a greater priority over fixing vulnerabilities. Our expert panel will cover how to resolve the tension between speed and security by practices which: Minimize DevOps overhead from retrofitting programming languages with new versions, dependencies, security patches, etc. Enable Continuous Builds to keep up with your continuous deployments Use Build Validation to vet your continuous builds against smoke tests

Tecnología
1 de 42
Descargar para leer sin conexión
How to Manage Risk of Your Polyglot Environments
Presenters ● Jeff Rouse, VP Product, ActiveState ● Pete Garcin, Senior Product Manager, ActiveState ● Larry Maccherone, Head of DevSecOps Transformation, Comcast Manage Risk: Polyglot Environments
VP Product Jeff Rouse, ActiveState
Platform Presentation Manage Risk: Polyglot Environments Jeff Rouse VP Product ActiveState
Track-record: 97% of Fortune 1000, 20+ years open source Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby Runtime Focus: concept to development to production Manage Risk: Polyglot Environments
What’s Polyglot? Manage Risk: Polyglot Environments
How Do Polyglot Environments Evolve? ● Technology. Best tool for the job, modern software projects. ● People. technology stacks added through acquisition, changes in tech leadership ● Time. technologies come in & out of favour; old languages never die. Manage Risk: Polyglot Environments
Every Organization is Polyglot ● Any desktop application with an online component. ● YAML configuration used with any project. ● An application with embedding scripting. Manage Risk: Polyglot Environments
Manage Risk: Polyglot Environments Source: ActiveState Developer Survey 2018, Open Source Runtime Pains Adding a Language
Manage Risk: Polyglot Environments Source: ActiveState Developer Survey 2018, Open Source Runtime Pains Rank the Challenges
Manage Risk: Polyglot Environments Source: ActiveState Developer Survey 2018, Open Source Runtime Pains Stability & Security → Painful
Hidden Costs 75% Managing dependencies Manage Risk: Polyglot Environments Source: ActiveState Developer Survey 2018, Open Source Runtime Pains
Benefits Manage Risk: Polyglot Environments ● Speed. Ship faster: better products, better innovation. ● Recruitment. Be attractive workplace: enable coders to choose the tools they need.
Drawbacks ● Variability. Tooling support & programming language quality. ● Expertise Gap. Deep core competency at odds with breadth of programming languages. ● Dependencies. Larger pool of dependencies. ● Support Costs. Unable to centralize, maintenance. Manage Risk: Polyglot Environments
Title color by theme Most important tex. tipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Presentation Title Magnified Issues How will you monitor, identify and resolve? Production bugs, Common Vulnerabilities & Exposures (CVE), threats; additional risk exposure with 3rd party dependencies. Equifax Breach: out of date 3rd party dependency Manage Risk: Polyglot Environments
Reduce Services Reduce Tools Reduce Libs Reduce Attack Surface Robust Processes, Automated and Centralized for Visibility Resolutions Presentation Title
Senior Product Manager Pete Garcin, ActiveState
Pete Garcin Senior Product Manager ActiveState Platform Presentation Manage Risk: Polyglot Environments
Automated Processes Manage Risk: Polyglot Environments
Manage Risk: Polyglot Environments
Resolving Manage Risk: Polyglot Environments ● Automate. ● Bundle. ● Simplify Shares. Encourage adoption of common environments.
Manage Risk: Polyglot Environments
Manage Risk: Polyglot Environments
Manage Risk: Polyglot Environments Environment Configuration Dependency Management Workflow Configuration TITLE?
Best Practices - Build Eng & Development Manage Risk: Polyglot Environments Build Standard Reproduce & ManageShrink Build
Manage Risk: Polyglot Environments Monitor Runtime Get Updates Best Practices - Development to Production
Benefits to You TimeDev Zen Manage Risk: Polyglot Environments Same Same
Privileged and Confidential DELETE | 28E7: SDL Self Assessment A lean/agile transformation approach to achieving a DevSecOps culture
Privileged and Confidential DELETE | 29E7: SDL Self Assessment Larry_Maccherone@Comcast.com
Security practices on DevOps continuum ➔ DevSecOps • Static/IAST analysis • Abuse case tests • Code review • Break the build code analysis • Threat modeling → backlog items • Analyze/Predict → backlog items • Design complies with policy? • Test security features • Common abuse cases • Pen testing (Vuls found → Test scripts) • Compliance validation (PCI, etc.) • Fuzzing • If we do X will it mitigate Y? • Capacity forecasting • Learning → Update playbooks and Training • Configuration validation • Feature toggles/Traffic shaping configuration • Secrets management • Log information for after-incident analysis • Intrusion detection • App attack detection • Restore/maintain service for non-attack usage • RASP auto respond • Roll-back or toggle off • Block attacker • Shut down services • Analysis → Learning • Defect/Incident 3-step • New attack surface? Plan to update threat model
That’s a lot of stuff! How do we get development teams to adopt?
3 EXAMPLE
Visualizing an Org’s practices EX A M PLE
Dev[Sec]Ops is… empowered engineering teams taking ownership of how their product performs in production [including security]
Build security in more than bolt it on Rely on empowered engineering teams more than security specialists Implement features securely more than security features Rely on continuous learning more than end-of-phase gates Build on culture change more than policy enforcement DevSecOps Manifesto
We, the Security Team… Recognize that Engineering Teams… • Want to do the right thing • Are closer to the business context and will make trade-off decisions between security and other risks • Want information and advice so those trade-off decisions are more informed Pledge to… • Lower the cost/effort side of any investment in developer security tools or practices • Assist 2x as much with preventative initiatives as we beg for your assistance reacting to security incidents Understand that… • We are no longer gate keepers but rather tool-smiths and advisors
DevSecOps Tool Landscape Static Analysis (aka SAST) • Looks at source code • Data/control flow analysis • Prone to false positives • Rapid feedback for developers • Code fix suggestions Dynamic • Exercises app via UI/API • Senses vulnerability by response to input • Zero? false positives. Report is an exploit • High false negatives • Difficult to implement especially w/ auth • Sometimes hard to find code to remediate Runtime Application Security Protection (RASP) • Often uses same engine as IAST • Reports on “bad” behavior • Can abort transaction or kill process to protect Fuzzing (black box) • Instruments system (to varying degrees) • Sends unexpected input at API • Looks at response and instrumentation output • Great for testing protocols like SIP • Good for REST APIs • Potentially long run times • Hard to find code to remediate Primary Code Analysis (PCA) for code you write (1st party) Software Composition Analysis (SCA) for code you import (3rd party) • Identifies dependency and version • Checks CVE/NVD + … for reported vulnerabilities • Proposes version/patch to remediate • Checks license vs policy • Runs fast • Easy to implement • Best bang for buck! IAST • Runtime code analysis • Combine dynamic/static • Low false positives • Depends on test coverage • Immature but getting there
What’s next? • Questions? • Pilot this DevSecOps transformation framework with a few of your teams • Connect with me on:
Q & A
What’s Next ● Watch a demo: https://www.youtube.com/watch?v=c5AIxN9ehrI ● Get a demo marketing@activestate.com ● Contact us for the language build you need: platform@activestate.com
Tel: 1.866.631.4581 Website: www.activestate.com Twitter: @activestate Facebook: /activestatesoftware Where to find us Manage Risk: Polyglot Environments

Recomendados

Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
Denim Group
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
Mahaut Gouhier
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
gjdevos
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
Ives Laaf
 

Recomendados

Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review ProgramRolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
Denim Group
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
Mahaut Gouhier
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
gjdevos
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
Ives Laaf
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Matt Eakin - The New Tester Skillset
Matt Eakin - The New Tester SkillsetMatt Eakin - The New Tester Skillset
Matt Eakin - The New Tester Skillset
QA or the Highway
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
Jaap van Ekris
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOps
Wouter de Kort
 
Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief Tour
Robert Keefer
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Rushana Bandara
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening
Maven Logix
 
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
TelecomValley
 
Digital transformation testing.
Digital transformation testing. Digital transformation testing.
Digital transformation testing.
Deepak Daniel
 
Peer Code Review An Agile Process
Peer Code Review An Agile ProcessPeer Code Review An Agile Process
Peer Code Review An Agile Process
gsporar
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application security
Rogue Wave Software
 
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony WebinarRisk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
QASymphony
 
Application Assessment Metrics
Application Assessment MetricsApplication Assessment Metrics
Application Assessment Metrics
SensePost
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
iAppSecure Solutions
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
Tiago Henriques
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
Suman Sourav
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
Global Knowledge Training
 

Más contenido relacionado

La actualidad más candente

Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Matt Eakin - The New Tester Skillset
Matt Eakin - The New Tester SkillsetMatt Eakin - The New Tester Skillset
Matt Eakin - The New Tester Skillset
QA or the Highway
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
Jaap van Ekris
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOps
Wouter de Kort
 
Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief Tour
Robert Keefer
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Rushana Bandara
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening
Maven Logix
 
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
TelecomValley
 
Digital transformation testing.
Digital transformation testing. Digital transformation testing.
Digital transformation testing.
Deepak Daniel
 
Peer Code Review An Agile Process
Peer Code Review An Agile ProcessPeer Code Review An Agile Process
Peer Code Review An Agile Process
gsporar
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application security
Rogue Wave Software
 
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony WebinarRisk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
QASymphony
 
Application Assessment Metrics
Application Assessment MetricsApplication Assessment Metrics
Application Assessment Metrics
SensePost
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
iAppSecure Solutions
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
Tiago Henriques
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
Suman Sourav
 

La actualidad más candente (20)

Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Matt Eakin - The New Tester Skillset
Matt Eakin - The New Tester SkillsetMatt Eakin - The New Tester Skillset
Matt Eakin - The New Tester Skillset
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
2021 08-28, QONFEST 2021 - Reliability cenetered maintenance for sleeping giants
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOps
 
Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief Tour
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening
 
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
 
Digital transformation testing.
Digital transformation testing. Digital transformation testing.
Digital transformation testing.
 
Peer Code Review An Agile Process
Peer Code Review An Agile ProcessPeer Code Review An Agile Process
Peer Code Review An Agile Process
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application security
 
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony WebinarRisk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
 
Application Assessment Metrics
Application Assessment MetricsApplication Assessment Metrics
Application Assessment Metrics
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 

Similar a How to Manage the Risk of your Polyglot Environments

DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
Global Knowledge Training
 
Testing and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedTesting and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons Learned
LB Denker
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
AppDynamics
 
So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016
Joe Ferguson
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Achim D. Brucker
 
So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...
Joe Ferguson
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
SCA in an Agile World | June 2010
SCA in an Agile World | June 2010SCA in an Agile World | June 2010
SCA in an Agile World | June 2010
Klocwork
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Continuous Deployment
Continuous DeploymentContinuous Deployment
Continuous Deployment
Brian Henerey
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
How AI and ML Can Accelerate and Optimize Software Development and Testing
How AI and ML Can Accelerate and Optimize Software Development and TestingHow AI and ML Can Accelerate and Optimize Software Development and Testing
How AI and ML Can Accelerate and Optimize Software Development and Testing
Aggregage
 
Machine programming
Machine programmingMachine programming
Machine programming
DESMOND YUEN
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
Steven Carlson
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 

Similar a How to Manage the Risk of your Polyglot Environments (20)

DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
 
Testing and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedTesting and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons Learned
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
 
So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
SCA in an Agile World | June 2010
SCA in an Agile World | June 2010SCA in an Agile World | June 2010
SCA in an Agile World | June 2010
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Continuous Deployment
Continuous DeploymentContinuous Deployment
Continuous Deployment
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
How AI and ML Can Accelerate and Optimize Software Development and Testing
How AI and ML Can Accelerate and Optimize Software Development and TestingHow AI and ML Can Accelerate and Optimize Software Development and Testing
How AI and ML Can Accelerate and Optimize Software Development and Testing
 
Machine programming
Machine programmingMachine programming
Machine programming
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 

Más de DevOps.com

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
DevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with Datadog
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid final
DevOps.com
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call Culture
DevOps.com
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 

Más de DevOps.com (20)

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with Datadog
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid final
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call Culture
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
 

Último

GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
Federico Razzoli
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 

Último (20)

GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 

How to Manage the Risk of your Polyglot Environments

  • 1. How to Manage Risk of Your Polyglot Environments
  • 2. Presenters ● Jeff Rouse, VP Product, ActiveState ● Pete Garcin, Senior Product Manager, ActiveState ● Larry Maccherone, Head of DevSecOps Transformation, Comcast Manage Risk: Polyglot Environments
  • 4. Platform Presentation Manage Risk: Polyglot Environments Jeff Rouse VP Product ActiveState
  • 5. Track-record: 97% of Fortune 1000, 20+ years open source Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby Runtime Focus: concept to development to production Manage Risk: Polyglot Environments
  • 7. How Do Polyglot Environments Evolve? ● Technology. Best tool for the job, modern software projects. ● People. technology stacks added through acquisition, changes in tech leadership ● Time. technologies come in & out of favour; old languages never die. Manage Risk: Polyglot Environments
  • 8. Every Organization is Polyglot ● Any desktop application with an online component. ● YAML configuration used with any project. ● An application with embedding scripting. Manage Risk: Polyglot Environments
  • 9. Manage Risk: Polyglot Environments Source: ActiveState Developer Survey 2018, Open Source Runtime Pains Adding a Language
  • 10. Manage Risk: Polyglot Environments Source: ActiveState Developer Survey 2018, Open Source Runtime Pains Rank the Challenges
  • 11. Manage Risk: Polyglot Environments Source: ActiveState Developer Survey 2018, Open Source Runtime Pains Stability & Security → Painful
  • 12. Hidden Costs 75% Managing dependencies Manage Risk: Polyglot Environments Source: ActiveState Developer Survey 2018, Open Source Runtime Pains
  • 13. Benefits Manage Risk: Polyglot Environments ● Speed. Ship faster: better products, better innovation. ● Recruitment. Be attractive workplace: enable coders to choose the tools they need.
  • 14. Drawbacks ● Variability. Tooling support & programming language quality. ● Expertise Gap. Deep core competency at odds with breadth of programming languages. ● Dependencies. Larger pool of dependencies. ● Support Costs. Unable to centralize, maintenance. Manage Risk: Polyglot Environments
  • 15. Title color by theme Most important tex. tipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Presentation Title Magnified Issues How will you monitor, identify and resolve? Production bugs, Common Vulnerabilities & Exposures (CVE), threats; additional risk exposure with 3rd party dependencies. Equifax Breach: out of date 3rd party dependency Manage Risk: Polyglot Environments
  • 16. Reduce Services Reduce Tools Reduce Libs Reduce Attack Surface Robust Processes, Automated and Centralized for Visibility Resolutions Presentation Title
  • 17. Senior Product Manager Pete Garcin, ActiveState
  • 18. Pete Garcin Senior Product Manager ActiveState Platform Presentation Manage Risk: Polyglot Environments
  • 21. Resolving Manage Risk: Polyglot Environments ● Automate. ● Bundle. ● Simplify Shares. Encourage adoption of common environments.
  • 25. Best Practices - Build Eng & Development Manage Risk: Polyglot Environments Build Standard Reproduce & ManageShrink Build
  • 26. Manage Risk: Polyglot Environments Monitor Runtime Get Updates Best Practices - Development to Production
  • 27. Benefits to You TimeDev Zen Manage Risk: Polyglot Environments Same Same
  • 28. Privileged and Confidential DELETE | 28E7: SDL Self Assessment A lean/agile transformation approach to achieving a DevSecOps culture
  • 29. Privileged and Confidential DELETE | 29E7: SDL Self Assessment Larry_Maccherone@Comcast.com
  • 30. Security practices on DevOps continuum ➔ DevSecOps • Static/IAST analysis • Abuse case tests • Code review • Break the build code analysis • Threat modeling → backlog items • Analyze/Predict → backlog items • Design complies with policy? • Test security features • Common abuse cases • Pen testing (Vuls found → Test scripts) • Compliance validation (PCI, etc.) • Fuzzing • If we do X will it mitigate Y? • Capacity forecasting • Learning → Update playbooks and Training • Configuration validation • Feature toggles/Traffic shaping configuration • Secrets management • Log information for after-incident analysis • Intrusion detection • App attack detection • Restore/maintain service for non-attack usage • RASP auto respond • Roll-back or toggle off • Block attacker • Shut down services • Analysis → Learning • Defect/Incident 3-step • New attack surface? Plan to update threat model
  • 31. That’s a lot of stuff! How do we get development teams to adopt?
  • 34. Dev[Sec]Ops is… empowered engineering teams taking ownership of how their product performs in production [including security]
  • 35. Build security in more than bolt it on Rely on empowered engineering teams more than security specialists Implement features securely more than security features Rely on continuous learning more than end-of-phase gates Build on culture change more than policy enforcement DevSecOps Manifesto
  • 36. We, the Security Team… Recognize that Engineering Teams… • Want to do the right thing • Are closer to the business context and will make trade-off decisions between security and other risks • Want information and advice so those trade-off decisions are more informed Pledge to… • Lower the cost/effort side of any investment in developer security tools or practices • Assist 2x as much with preventative initiatives as we beg for your assistance reacting to security incidents Understand that… • We are no longer gate keepers but rather tool-smiths and advisors
  • 37. DevSecOps Tool Landscape Static Analysis (aka SAST) • Looks at source code • Data/control flow analysis • Prone to false positives • Rapid feedback for developers • Code fix suggestions Dynamic • Exercises app via UI/API • Senses vulnerability by response to input • Zero? false positives. Report is an exploit • High false negatives • Difficult to implement especially w/ auth • Sometimes hard to find code to remediate Runtime Application Security Protection (RASP) • Often uses same engine as IAST • Reports on “bad” behavior • Can abort transaction or kill process to protect Fuzzing (black box) • Instruments system (to varying degrees) • Sends unexpected input at API • Looks at response and instrumentation output • Great for testing protocols like SIP • Good for REST APIs • Potentially long run times • Hard to find code to remediate Primary Code Analysis (PCA) for code you write (1st party) Software Composition Analysis (SCA) for code you import (3rd party) • Identifies dependency and version • Checks CVE/NVD + … for reported vulnerabilities • Proposes version/patch to remediate • Checks license vs policy • Runs fast • Easy to implement • Best bang for buck! IAST • Runtime code analysis • Combine dynamic/static • Low false positives • Depends on test coverage • Immature but getting there
  • 38.
  • 39. What’s next? • Questions? • Pilot this DevSecOps transformation framework with a few of your teams • Connect with me on:
  • 40. Q & A
  • 41. What’s Next ● Watch a demo: https://www.youtube.com/watch?v=c5AIxN9ehrI ● Get a demo marketing@activestate.com ● Contact us for the language build you need: platform@activestate.com
  • 42. Tel: 1.866.631.4581 Website: www.activestate.com Twitter: @activestate Facebook: /activestatesoftware Where to find us Manage Risk: Polyglot Environments