Embed Size (px)
Citation preview
CONFERENCEGUIDE
2
Join the conversation and share your DevSecCon experience with those who couldn’t make it!
#DevSecCon
WELCOMEThank you for choosing to spend your day with us at DevSecCon Asia 2017. We are really proud to be in Singapore for the first time and to bring so many inspiring speakers and workshops to you today, to share our vision of creating continuously secure solutions.
Traditional Security is often counterproductive because it exists in isolation to the business drivers and development processes. We want to tear down these walls and create a new era in which DevOps and Security embrace collaboration, and thus enabling Developers to create applications which are secure from requirements to the final product.
DevSecCon is a platform for professionals to learn ways to implement these new ideas into their business and help them to challenge the approach to secure development and delivery in their organisations.
We hope you enjoy the day and can’t wait to hear your feedback to tailor our next event accordingly.
Francois Raynaud, Stefan Streichsbier, Suman Sourav and Lisa RaynaudThe DevSecCon Asia Team
3
TABLE OF CONTENTSAGENDA 4
SESSION CATEGORIES 6
TALK TRACK (MORNING) 7
WORKSHOP TRACK (MORNING) 12
TALK TRACK (AFTERNOON) 14
WORKSHOP TRACK (AFTERNOON) 22
MEET OUR SPEAKERS 24
OUR SPONSORS 26
VENUE MAP BACK PAGE
We want to hear your feedback
Help us to improve DevSecCon by participating in a five minute survey.
Upon completing the survey, you will automatically be entered in a raffle for the chance to win one of three free tickets for DevSecCon Asia 2018.
To take the survey, go to www.devseccon.com/asia-2017/survey
Or scan the QR code.
4
AGENDA
MORNING
08:30 Atrium Ballroom Foyer
Registration and breakfast buffet
09:25 Atrium Ballroom
Opening speech
09:30 Atrium Ballroom
Keynote
TALK TRACKAtrium Ballroom
WORKSHOP TRACKOrchard Room
10:00 CD and Segregation of Duties (SoD)
10:00 Automated infrastructure security monitoring and defence10:30
Extending and securing Chat-Ops
10:55 10 minute break
11:05 Integrating crowdsourced security into agile SDLC
11:35 AppSec DevOps automation – real world cases
12:00 Atrium Ballroom Foyer
Lunch buffet and break
5
TALK TRACKAtrium Ballroom
WORKSHOP TRACKOrchard Room
13:00 Securing the container DevOps pipeline
13:00 Developing a high-performance security focussed Agile Team
13:30 Building an application vulnerability toolchain for DevSecOps
14:00 Using open source automation tools for DevSecOps
14:30 A trip through the security of DevOps tools
14:55 10 minute break
15:05 From resilient to antifragile – chaos engineering primer
15:05 Automated testing and security
15:35 DevSecOps in the government
16:05 Testing IOT application endpoints
16:35 Using adversarial modelling in driving secure application development
17:00 Bobby’s Restaurant and Bar
Networking drinks
AFTERNOON/ EVENING
SESSION CATEGORIES
To help you choose which sessions to attend, we have grouped them into these categories:
PIPELINE
SSDLC (Secure Software Delivery Life Cycle)
CONTAINERS
RESILIENCE
IOT (Internet of Things)
To provide a quick overview, the respective category symbols are listed above the talk and workshop titles on the following pages – for example P for Pipeline.
P
S
C
R
I
6
TALK TRACK (MORNING)
7
09:25 Atrium Ballroom
Opening speech
A few words from the DevSecCon Asia team.
09:30 Atrium Ballroom
Keynote: Security is shifting left
Security has mostly operated towards the right of implementation just prior to deployment. With the introduction of Continuous Delivery, security must shift left and new processes, tools and skills must be formed. From risk acceptance, back to architectural decisions, everything security must be re-imagined in order to realise the vision of safer software sooner. Whether you practice DevOps or have been in the business or protecting workloads, this change is both exciting and somewhat mystifying. To further this global change, we’ve enlisted the help of heroes like you to highlight the path forward. Come join us to hear about the journey and enjoy some humorous tales.
Shannon LietzDevSecOps Lead, Intuit
TALK TRACK (MORNING)
8
10:00 Atrium Ballroom P
CD and Segregation of Duties (SoD)
Today, business and IT want to keep releasing fixes and new features to production quickly. However, policies and processes often introduce delays in deployment, and prevent the actual people who know to solve problems, from solving the problems. Instead it becomes a circus of raising tickets, getting sign offs, etc. Upon enquiry, we’re all told “This is to ensure Segregation of Duties”.
In this talk, we will cover what the authoritative articles on SoD say, our interpretation of the intent, and how we believe the intent can be fulfilled while permitting frequent deployments and much more flexible troubleshooting on production.
This talk will likely raise some controversial points and interpretations, but we hope that this will push the industry to have a reality check and modernise approaches.
Sriram NarayananDevOps and CD Consultant, ThoughtWorks
TALK TRACK (MORNING)
9
10:30 Atrium Ballroom S P
Extending and securing Chat-Ops
In this talk I will showcase chat tools extensions with Hubot and how to make chat and ops work well with a collaborative approach – taking lessons from DevOps and Agile ways of working. We will get into depths of bot-driven ops and making it effective in large enterprises by securing it with 2FA (Two Factor Authentication). Attendees will learn how to integrate security and bullet proof chat operations.
Key takeaways:
• Understanding the need for additional ops-security in large enterprises and solving it innovatively.
• Details about the usage of Two Factor Authentication and its powers to secure operations triggered from chat tools.
• New ways to integrate and extend the powers of bots.
Arun NarayanaswamySenior Manager Engineering
TALK TRACK (MORNING)
10
11:05 Atrium Ballroom S
Integrating crowdsourced security into agile SDLC
In an ideal world, security involvement should be part of the initial Portfolio Kanban when decisions on product design are being made. Small and medium-sized businesses are usually struggling with resources and a lack of the necessary security skill-set to provide valuable input into these patterns of core software development stages.
When developing an MVP (Minimum Viable Product) it is crucial that proper security assessments are conducted regardless of the customer set that it will be tested with and all the findings are remediated properly prior to release. One of the ways to cope with modern challenges is by adopting a crowdsourced approach. This enables extremely flexible methodologies with endless skill-set pools to integrate into various stages of the SDLC cycle (awareness, design review, source code analysis, threat modelling, penetration testing, risk workflow tracking etc.) to cope with today’s ever-evolving threats.
The presenter has been involved into all the mentioned DevSec phases and processes from two completely different perspectives: as a CISO and as a crowdsourced security researcher. In this talk we will share experiences and answer various questions and theories about “what will DevSecOps actually look like in the near future” and what can be done to make DevOps more resilient.
Ante GulamGlobal CISO, MetaPack Group
TALK TRACK (MORNING)
11
11:35 Atrium Ballroom S
AppSec DevOps automation – real world cases
Everybody wants to create the perfect AppSec test automation as part of DevOps. Transparently identifying security vulnerabilities as code is created and fixing them before they are ever noticed. But how does this work in real life? In this session we will review real world examples of building a successful automation process for delivery of secure software by DevOps groups.
The talk will begin with a quick review of the main challenges introduced by moving to a fast-pace (agile) software development world, where time-frames from coding to delivery can be as short as a few days, leaving no room for traditional security audits and reviews that were the main practice in the past.
Following that, we will present the core principles of continuous integration and testing automation as they are deployed and managed by DevOps, and analyse many of the pitfalls organisations are facing in the attempt to move from the theoretical practice to implementation of such a process.
Finally, we will examine three cases of customers (Retail, Insurance and Software Vendor), who have successfully built a process that works. At the end of the session, participants will have a much broader view on practical ways of building successful automation of secure coding practices.
Ofer MaorDirector of Security Strategy, Synopsys
WORKSHOP TRACK (MORNING)
12
10:00 Orchard Room R
Automated infrastructure security monitoring and defence
Monitoring for application attacks and defending them in real-time is crucial. Crunch through all the logs from the various sources (web servers, applications, waf etc.) to gain insights from anomalies in real-time. Making the right choices from the attacks can prove to be a nightmare. Even with the solutions already available in the market.
In this training we can see attacks happening in real-time using a centralised dashboard. By collecting logs from various sources we will monitor and analyse the attacks. Using data gleaned from the logs, we can apply defensive rules against the attackers. We will be using open source technologies to build this monitoring solution.
Workshop attendees will receive a comprehensive walk-through E-book, Ansible Playbooks, custom scripts and best practices check-lists.
What attendees will need in order to participate:• This workshop is intended for beginner to mid-
level, participants should be comfortable with basic Linux CLI usage
• Laptop with administrative privileges• VirtualBox 5 (or) above• 10GB hard disk space for virtual machines
• Minimum 4 GB RAM
Madhu Akula Akash MahajanAutomation Security Ninja, Appsecco
Director, Appsecco
WORKSHOP TRACK (MORNING)
13
NOTES
TALK TRACK (AFTERNOON)
14
13:00 Atrium Ballroom C P
Securing the container DevOps pipeline
Adoption of container technology has surged due to the standardisation and usability resulting from the Docker open sourcing effort and, as a result, the Open Container Initiative (OCI). Many DevOps practitioners leverage the portability and agility provided by containers in their CI/CD pipelines.
With the rise of automation capabilities and technologies, that manage this pipeline, it is critical to make sure that all aspects of the container’s content and delivery are secure. Where did the container come from? Is it signed? Can we authenticate it? What’s inside? There are so many questions that also need to be automated to insure the steady and secure deployment of mission critical containers onto the container platform. Also it is important that proper audit and forensics capabilities are enabled to help pinpoint vulnerabilities during or post event.
This talk looks at current CI/CD pipelines for container deployment and discusses areas where DevSecOps practitioners should focus. Much of the tooling today comes from popular open source technologies. This has many benefits. But trying to manage all of these tools, working together, and securely, can consume a lot of time and can expose its own vulnerabilities. How do we secure the software supply chain and the assets moving through that pipeline?
William HenryDevOps Strategy Lead, Red Hat Inc.
TALK TRACK (AFTERNOON)
15
13:30 Atrium Ballroom C P
Building an application vulnerability toolchain for DevSecOps
One of the key challenges for application security in DevOps, is that scaling vulnerability assessment, effectively is very challenging. Sure, some scanners come with plugins and integrations with CI tools, but with complex applications, API/Web services and complex business logic, vulnerability assessment without context, instrumentation and parameterisation leads to a large number of false-negatives, which is the worst kind of outcome.
My talk draws from multiple implementations of application security in DevOps, where one can create powerful, automated vulnerability toolchains that are automatically triggered and managed, auto-scaled (with containers) and provide a much higher quality of results through effective instrumentation, parameterisation and context, oh and did I mention, completely automated. The talk also delves into some key success factors for automated, instrumented vulnerability scanning at scale for applications. I will showcase an internally developed tool (will be released open source) for instrumented scanning of API using popular scanners like OWASP ZAP, w3af and BurpSuite. The objective of this talk is to give the audience a perspective of how they can unlock a higher quality of application vulnerability scanning at scale in their DevOps implementation.
Abhay BhargavCTO, we45
TALK TRACK (AFTERNOON)
16
14:00 Atrium Ballroom P
Using open source automation tools for DevSecOps
Automation tools are key for managing DevOps and DevSecOps.
In this talk we’ll focus on setting up open source automation tools and their environment, using readily available modules for deploying servers/ services, scaling, security compliance, monitoring, managing operations, patch management, configuration and more.
Moving on to developing customised modules, tweaking them as required for operation and finally managing identity and credentials for managing enterprise services is key for success.
Joel DivekarFounder / CTO, Adi.technology
TALK TRACK (AFTERNOON)
17
14:30 Atrium Ballroom P
A trip through the security of DevOps tools
Nowadays, security has become a very hot issue. With the DevOps philosophy spreading everywhere and the growing idea that now you could build a new project within a few days, some projects have started to leave security aside to focus on quickly delivering functionalities instead.
But how can we ignore today that the lack of security awareness comes with a price?
This presentation will be a feedback from developers working on Incident Response and Malware Analysis, an open source project we’ve been developing since 2014.
From virtualization to automation, I will talk about security pitfalls and difficulties we’ve been through and will also share our experience on how to use those Devops tools in secure environments: Who to trust? Which tools are more secured than others? How to combine everything in an offline environment due to security constraints? Do you really trust the Internet? We’ll also speak about good and bad practices, e.g. the usual “curl https://mywebsite/install.sh | sudo bash” or privileged users in Ansible runs.
Finally, I’ll talk about practical issues we’ve been facing for all our products: the offline (aka I-cant-connect-my-server-to-the-Evil-Internet) installation. How do you manage external dependencies? Security updates?
Guillaume DedrieR&D Developer, Quarkslab
TALK TRACK (AFTERNOON)
18
15:05 Atrium Ballroom R
From resilient to antifragile – chaos engineering primer
Monkeys, Lemurs & Locusts Oh “We bought a Zoo” – Is the idea of a midnight meltdown keeping you up at night? Can we inject failure scenarios into deployed systems to reduce platform risk?
During this talk, demonstrations of the Simian Army, Chaos Lemur and Locust.io tools will be presented. We will go beyond reliability, stability and availability to help your platform operations team build a continuous process improvement program which will prepare your production systems for the unexpected.
Sergiu BodiuPlatform Architect, Pivotal
TALK TRACK (AFTERNOON)
19
15:35 Atrium Ballroom R
DevSecOps in the government
Singapore is known to be efficient and so is the government.
As Singapore’s software engineers adopt DevOps as part of the software development methodologies, the pace of software releases and changes are faster than the previously used waterfall method. Security has to keep up to pace with this change and DevSecOps is now more relevant.
As the government manages different classification of data, there are different considerations and challenges to the architecture. As a DevSecOps engineer, these challenges are not easy to solve but it looks promising that the quality of Singapore government’s software is improving, and security is also a top priority.
The talk will discuss some of the common challenges in government context and some solutions to overcome them.
Fabian LimDevSecOps Engineer, GovTech
TALK TRACK (AFTERNOON)
20
16:05 Atrium Ballroom R I
Testing IOT application endpoints
As we all connect everything in our homes to the Internet, we need to seriously consider the security of the endpoints we place in our homes and use every day. Our security cameras, water heaters and garage door openers, are offering control and convenience like we have never seen and their use can be exposing sensitive data to the world.
IOT is not at all about the Internet, we already know quite a bit about the Internet and its problems. IOT is all about the “things”. Have we placed enough importance on the “things” from a security perspective? From exposing WIFI passwords via connected light bulbs to location tracking of family members to data collected regarding consumption rates, there are many problems that IOT can bring with all the solutions its known for.
Taking a deep look into a few of these devices and understanding their communication reveals that we are exposing our homes, our families, to attacks against these devices.
Utilising web security and infrastructure security assessment practices we will take a deep dive into IOT devices and applications to show the types of attacks that are available and how to mitigate the risk this new attack surface presents. I will show some resources to see Internet connected devices all over the world as well as illustrate what can happen if these devices are breached.
Jason KentVP of Product Management, Qualys
TALK TRACK (AFTERNOON)
21
16:35 Atrium Ballroom R S
Using adversarial modelling in driving secure application development
Use cases are helpful for eliciting, communicating and documenting requirements. Additionally, use cases are also useful in gaining an understanding of the features of the application. Similarly, to identify threats that can materialize within an application, the concept of misuse cases was introduced as a means of conceptualising the different possibilities of attacks against an application. Thus, in the context of secure application development, this provides product development teams actionable insights during the development process to combat techniques that are adopted by an adversary.
The speaker will share his thoughts and strategies around conducting modelling and simulation from an adversarial perspective. Attendees will be introduced to an intentionally flawed application and will be exposed to tools/techniques in determining the various attack scenarios that may be subjected upon it.
Pishu MahtaniApplication Security Consultant, SpiderLabs
WORKSHOP TRACK (AFTERNOON)
22
13:00 Orchard Room S
Developing a high-performance security focussed Agile Team
Quality (security included) does not have to be neglected when you’re planning, building and running a high-performance development team. Kim will set the stage with how and why Agile development teams fail, explained with a familiar anecdote taken from his new book, coupled with how you can change this. Kim will then discuss and demo a set of light weight processes, practises and tools, that when combined have proven their value in:
1. Aiding high throughput (reducing time to market)
2. Significantly increasing quality (finding and removing bugs)
3. Without de-scoping
And all while reducing total project cost (fact). If this sounds like breaking the laws of physics, or too good to be true, then this workshop is for you.
What attendees will need in order to participate:In order to participate in this session, you will need a laptop that has at least one of the following:• VirtualBox installed to run a vbox image• Some virtualisation software installed that can
create a VM with a .vmdk disk imageIf attendees do not have the VM or components set-up before the workshop, Kim will be passing a VM around via NTFS formatted USB stick.
Kim CarterDirector, BinaryMist
WORKSHOP TRACK (AFTERNOON)
23
15:05 Orchard Room P
Automated testing and security
Companies want to deploy code at an ever-increasing pace. You should test your code to ensure that security concerns are addressed before pushing to production. Manual testing is time consuming and relies on humans, which presents a range of issues. By automating tests, you can use repeatable processes to test code before packaging and deployment. Automated tests should be included in your workflow and you should test at multiple stages of development, not just at the end of the development cycle or sprint.
This workshop will illustrate approaches to testing, such as threat analysis and testing techniques. It will also include demonstrations using Puppet as the code base, with Jira, BBS, and Bamboo as an example toolchain to show a workflow for automated testing of the code at different stages of development for different reasons.
Brett GrayPrincipal Solutions and Services Engineer, Puppet
24
MEET OUR SPEAKERSA big thanks to all our speakers for sharing their knowledge and experience today.
ABHAY BHARGAVCTO, we45
AKASH MAHAJANDirector, Appsecco
ANTE GULAMGlobal CISO, MetaPack Group
ARUN NARAYANASWAMYSenior Manager Engineering
BRETT GRAYPrincipal Solutions and Services Engineer, Puppet
FABIAN LIMDevSecOps Engineer, GovTech
GUILLAUME DEDRIER&D Developer, Quarkslab
JASON KENTVP of Product Management, Qualys
25
KIM CARTERDirector, BinaryMist
JOEL DIVEKARFounder / CTO, Adi.technology
MADHU AKULAAutomation Security Ninja,
Appsecco
OFER MAORDirector of Security Strategy,
Synopsys
PISHU MAHTANIApplication Security Consultant,
SpiderLabs
SERGIU BODIUPlatform Architect, Pivotal
SHANNON LIETZDevSecOps Lead, Intuit
SRIRAM NARAYANANDevOps and CD Consultant,
ThoughtWorks
WILLIAM HENRYDevOps Strategy Lead,
Red Hat Inc.
26
OUR SPONSORS
DevSecCon would not be possible without the generous support from our sponsors. A special thanks to all supporters, we are looking forward to seeing you in the networking area.
Gold sponsors
Silver sponsors
Bronze sponsors
27
GOLD SPONSORS
GitHub
GitHub is how people build software. Millions of individuals and organisations around the world use GitHub to discover, share, and collaborate on software — from games and experiments to popular frameworks and leading applications. Together, we’re defining how software is built today.
Whether you use GitHub.com or GitHub Enterprise on your own servers, you can access one of the world’s largest developer communities to build software in the way that works best for you. Choose your deployment option and integrate your favourite third party tools into a powerful, collaborative workflow.
GovTech
Coming from the restructured Infocomm Development Authority of Singapore, we are now Government Technology Agency of Singapore (GovTech).
The Government Technology Agency of Singapore (GovTech) aims to transform the delivery of Government digital services by taking an “outside-in” view, putting citizens and businesses at the heart of everything we do. We also develop the Smart Nation infrastructure and applications, and facilitate collaboration with citizens and businesses to co-develop technologies. Join us as we support Singapore’s vision of building a Smart Nation - a nation of possibilities empowered through info-communications technology and related engineering.
28
SILVER SPONSORS
Sonatype
We’re on a Rugged DevOps mission to accelerate software innovation & quality while reducing waste & risk. Ask how you can achieve these goals with Nexus Software Supply Chain solutions: Nexus Repository Manager – your universal repo to manage all binaries, builds, & other deployment assets with toolchain integration. Nexus Firewall & Nexus Lifecycle – empower developers to choose the best component parts from the start with real-time component intelligence, automated policies & ongoing monitoring www.sonatype.com
Rapid7
Rapid7 is a leading provider of security data and analytics solutions that enable organizations to implement an active, analytics-driven approach to cyber security. We combine our extensive experience in security data and analytics and deep insight into attacker behaviors and techniques to make sense of the wealth of data available to organizations about their IT environments and users. Our solutions empower organizations to prevent attacks by providing visibility into vulnerabilities and to rapidly detect compromises, respond to breaches, and correct the underlying causes of attacks. Trusted by more than 5,300 organizations across 100 countries, including 36% of the Fortune 1000. Visit www.rapid7.com.
29
BRONZE SPONSORS
Vantage Point
Billions are spent globally every year on application security to contain the risks that developing insecure software places on businesses and their customers. The lack of security requirements, proper testing techniques, and security preparedness create long-term costs that compound over time. Vantage Point Security is dedicated to solving these challenges for our clients by building security into software development and CI/CD pipelines which results in strong alignment between development, security, and operations teams, delivers measurable productivity gains, reduces time to market, and provides a strong Return on Investment (ROI) for business stakeholders.
CONTACT US
If you have any questions about DevSecCon, drop us an email or visit our website for futher information:[email protected]
VENUE MAP
RAFFLES CITY CONVENTION CENTRE LEVEL 4
Centre Atrium
Fairmont Ballroom
Stamford Ballroom
FAIRMONT SINGAPORE
BRAS BASAH ROAD
STAMFORD ROAD
SWISSOTEL THE STAMFORD
BEA
CH R
OA
D
NO
RTH
BR
IDG
E RO
AD
Stamford Meeting Rooms
Orchar
d
Room
South Atrium
North Atrium
Atrium
Ballro
om
Centre Atrium
SWISSOTEL THE STAMFORD
BEA
CHR
OA
D
Stamford Meeting Rooms
South Atrium
Lifts
Convention Foyer
Escalator
Orchar
d
Room
Atrium
Ballro
om
Atrium
Ballro
om
Foye
r
