Archiv pro štítek: OWASP

Spy vs Spy: Harvesting Adversaries

"The guy who wrote wifi software with SSID never imagined that someone could use that SSID to transmit data by writing two smaller applications to leverage it. We are constantly going to be in this [type of] battle. Ultimately we've got to find a way to stay ahead of it by understanding the mechanisms by which we're writing the abuse case possibilities." -- Shannon Lietz Following their session at DevOps Enterprise Summit 2018, I sat down and talked with Shannon Lietz and James Wickett to talk about who the real adversaries are when it comes to application security, what you can do to expose those adversaries and steps to get started in your own, internal adversary program. About Shannon Lietz DevSecOps Leader for Intuit Shannon Lietz is an award winning innovator with over two decades of experience pursuing advanced security defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s DevSecOps and cloud security strategy, roadmap and implementation in support of corporate innovation. She operates a 24x7 DevSecOps team that specializes in Adversary Management. Prior to joining Intuit, Ms. Lietz worked for ServiceNow where she was responsible for the cloud security engineering efforts and Sony where she drove the implementation of a new secure data center. Ms. Lietz has significant experience leading crisis management large-scale security breaches and restoration of services for several Fortune 500 companies. She has previous experience as a founder a metrics company, leading major initiatives for hosting providers as a Master Security Architect, developing security software and consulting for many Fortune 500 companies globally. Ms. Lietz is an IANS faculty member and holds a Bachelors of Science degree in Biological Sciences from Mount St. Mary’s College. About James Wickett Head of Research, Signal Sciences James spends a lot of time at the intersection of the DevOps and Security communities. He works as Head of Research at Signal Sciences and is a supporter of the Rugged Software and DevSecOps movements. Seeing the gap in software testing, James founded an open source project, Gauntlt, to serve as a Rugged Testing Framework. He is the author of several security and DevOps courses onLinkedIn Learning, including: DevOps Foundations, Infrastructure as Code, DevSecOps: Automated Security Testing, Continuous Delivery (CI/CD), and Site Reliability Engineering. He got his start in technology when he founded a startup as a student at the University of Oklahoma and has since worked in environments ranging from large, web-scale enterprises to small, rapid-growth startups. He is a dynamic speaker on topics in DevOps, AppSec, InfoSec, cloud security, automated security testing, DevSecOps and serverless. James is the creator and founder of the Lonestar Application Security Conference which is the largest annual security conference in Austin, TX. He also runs DevOps Days Austin and previously served on the global DevOps Days board. He also bears several security certifications including CISSP and GWAPT.

Spy vs Spy in Application Security: Harvesting Adversaries

"The guy who wrote wifi software with SSID never imagined that someone could use that SSID to transmit data by writing two smaller applications to leverage it. We are constantly going to be in this [type of] battle. Ultimately we've got to find a way to stay ahead of it by understanding the mechanisms by which we're writing the abuse case possibilities." -- Shannon Lietz Following their session at DevOps Enterprise Summit 2018, I sat down and talked with Shannon Lietz and James Wickett to talk about who the real adversaries are when it comes to application security, what you can do to expose those adversaries and steps to get started in your own, internal adversary program. About Shannon Lietz DevSecOps Leader for Intuit Shannon Lietz is an award winning innovator with over two decades of experience pursuing advanced security defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s DevSecOps and cloud security strategy, roadmap and implementation in support of corporate innovation. She operates a 24x7 DevSecOps team that specializes in Adversary Management. Prior to joining Intuit, Ms. Lietz worked for ServiceNow where she was responsible for the cloud security engineering efforts and Sony where she drove the implementation of a new secure data center. Ms. Lietz has significant experience leading crisis management large-scale security breaches and restoration of services for several Fortune 500 companies. She has previous experience as a founder a metrics company, leading major initiatives for hosting providers as a Master Security Architect, developing security software and consulting for many Fortune 500 companies globally. Ms. Lietz is an IANS faculty member and holds a Bachelors of Science degree in Biological Sciences from Mount St. Mary’s College. About James Wickett Head of Research, Signal Sciences James spends a lot of time at the intersection of the DevOps and Security communities. He works as Head of Research at Signal Sciences and is a supporter of the Rugged Software and DevSecOps movements. Seeing the gap in software testing, James founded an open source project, Gauntlt, to serve as a Rugged Testing Framework. He is the author of several security and DevOps courses onLinkedIn Learning, including: DevOps Foundations, Infrastructure as Code, DevSecOps: Automated Security Testing, Continuous Delivery (CI/CD), and Site Reliability Engineering. He got his start in technology when he founded a startup as a student at the University of Oklahoma and has since worked in environments ranging from large, web-scale enterprises to small, rapid-growth startups. He is a dynamic speaker on topics in DevOps, AppSec, InfoSec, cloud security, automated security testing, DevSecOps and serverless. James is the creator and founder of the Lonestar Application Security Conference which is the largest annual security conference in Austin, TX. He also runs DevOps Days Austin and previously served on the global DevOps Days board. He also bears several security certifications including CISSP and GWAPT.

Moving from Projects to Products w/ Mik Kersten

"If you look inside a large enterprise IT organization, they have this very bizarre and broken layer that's completely separating the way that business thinks in terms of products, budgets and costs, and the way IT people know the way they need to innovate, which is delivering products faster." -- Mik Kersten I sat down with Mik Kersten, CEO of TaskTop, and John Willis after Mik's presentation at DOES2018. His new book, Projects to Products, is an attempt to help the industry move from using success metrics more appropriate for the industrial age, to a new type of measurement where value is measured as part of the overall business goal through Value Stream Mapping. About Mik Kersten Dr. Mik Kersten is the CEO of Tasktop Technologies, creator and leader of the Eclipse Mylyn open source project and inventor of the task-focused interface. As a research scientist at Xerox PARC, Mik implemented the first aspect-oriented programming tools for AspectJ. He created Mylyn and the task-focused interface during his PhD in Computer Science at the University of British Columbia. Mik has been an Eclipse committer since 2002, is an elected member of the Eclipse Board of Directors and serves on the Eclipse Architecture and Planning councils. Mik's thought leadership on task-focused collaboration makes him a popular speaker at software conferences, and he was voted a JavaOne Rock Star speaker in 2008 and 2009. Mik enjoys building tools that offload our brains and make it easier to get creative work done. Specialties: Software Development Tools, Productivity tools, Task-Focused Interfaces, Application Lifecycle Management, Agile, Management, Aspect-Oriented Programming, Eclipse, Java

Moving from Projects to Products w/ Mik Kersten

"If you look inside a large enterprise IT organization, they have this very bizarre and broken layer that's completely separating the way that business thinks in terms of products, budgets and costs, and the way IT people know the way they need to innovate, which is delivering products faster." -- Mik Kersten I sat down with Mik Kersten, CEO of TaskTop, and John Willis after Mik's presentation at DOES2018. His new book, Projects to Products, is an attempt to help the industry move from using success metrics more appropriate for the industrial age, to a new type of measurement where value is measured as part of the overall business goal through Value Stream Mapping. About Mik Kersten Dr. Mik Kersten is the CEO of Tasktop Technologies, creator and leader of the Eclipse Mylyn open source project and inventor of the task-focused interface. As a research scientist at Xerox PARC, Mik implemented the first aspect-oriented programming tools for AspectJ. He created Mylyn and the task-focused interface during his PhD in Computer Science at the University of British Columbia. Mik has been an Eclipse committer since 2002, is an elected member of the Eclipse Board of Directors and serves on the Eclipse Architecture and Planning councils. Mik's thought leadership on task-focused collaboration makes him a popular speaker at software conferences, and he was voted a JavaOne Rock Star speaker in 2008 and 2009. Mik enjoys building tools that offload our brains and make it easier to get creative work done. Specialties: Software Development Tools, Productivity tools, Task-Focused Interfaces, Application Lifecycle Management, Agile, Management, Aspect-Oriented Programming, Eclipse, Java

The Journey to Open Source at Capital One w/ Tapabrata „Topo“ Pal

Why would you allow open source usage in your company. What are the compelling reasons to take the risk. In this discussion, I talk with Topo Pal and Derek Weeks about the industry perception of open source and what's really happening behind the curtain at large enterprises. Topo had just finished his keynote presentation at DevOps Enterprise Summit 2018 and I wanted to dive a little deeper into some of the things he talked about. About Topo Pal Dr. Topo Pal is Senior Director & Sr. Engineering Fellow Capital One. His main areas of expertise are in DevOps/DevOpsSec/ Rugged DevOps and Continuous Integration, Continuous Delivery. Topo is also interested in Natural Language Processing, Information Extraction, Architecture Strategy, Application Architecture and Integration Architecture. About Derek Weeks Derek E. Weeks, Vice President, Sonatype. Derek is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive advantages. He currently serves as vice president and DevOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation. Derek is also the co-founder of All Day DevOps, an online community of 40,000 IT professionals, and the lead researcher behind the annual State of the Software Supply Chain report for the DevOps industry. In 2018, Derek was recognized by DevOps.com as the "Best DevOps Evangelist" for his work in the community.

The Journey to Open Source at Capital One w/ Tapabrata „Topo“ Pal

Why would you allow open source usage in your company. What are the compelling reasons to take the risk. In this discussion, I talk with Topo Pal and Derek Weeks about the industry perception of open source and what's really happening behind the curtain at large enterprises. Topo had just finished his keynote presentation at DevOps Enterprise Summit 2018 and I wanted to dive a little deeper into some of the things he talked about. About Topo Pal Dr. Topo Pal is Senior Director & Sr. Engineering Fellow Capital One. His main areas of expertise are in DevOps/DevOpsSec/ Rugged DevOps and Continuous Integration, Continuous Delivery. Topo is also interested in Natural Language Processing, Information Extraction, Architecture Strategy, Application Architecture and Integration Architecture. About Derek Weeks Derek E. Weeks, Vice President, Sonatype. Derek is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive advantages. He currently serves as vice president and DevOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation. Derek is also the co-founder of All Day DevOps, an online community of 40,000 IT professionals, and the lead researcher behind the annual State of the Software Supply Chain report for the DevOps industry. In 2018, Derek was recognized by DevOps.com as the "Best DevOps Evangelist" for his work in the community.

The Future of Software and DevOps / with Sacha Labourey

"The compensation, the incentives that people have are very much anchored in short term objectives that do not take into account the vision for the bigger transformations that are happening within the market." -- Sacha Labourey, CEO, CloudBees Sacha Labourey runs one of the most visible, respected companies within the DevOps and DevSecOps communities. At Jenkins World 2018, I sat down with Sacha to hear how his year went, how security can become more of an important process within the software development pipeline and how the Jenkins community adds value to the company.

The Future of Software and DevOps / with Sacha Labourey

"The compensation, the incentives that people have are very much anchored in short term objectives that do not take into account the vision for the bigger transformations that are happening within the market." -- Sacha Labourey, CEO, CloudBees Sacha Labourey runs one of the most visible, respected companies within the DevOps and DevSecOps communities. At Jenkins World 2018, I sat down with Sacha to hear how his year went, how security can become more of an important process within the software development pipeline and how the Jenkins community adds value to the company.