Conf42 DevSecOps 2023

Schedule, Lineup & RSVP ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Upcoming CFPs ➤ https://www.papercall.io/events?cfps-scope=&keywords=conf42 0:00 teleport 1:15 welcome keynote 2:07 Andrey Slastenov - https://www.conf42.com/DevSecOps_2023_Andrey_Slastenov_iot_5g_devices_ddos_threat_landscape ai & ml 3:16 Susie Su - https://www.conf42.com/DevSecOps_2023_Susie_Su_revolution_iot_workforce 3:56 Rich Niemiec - https://www.conf42.com/DevSecOps_2023_Rich_Niemiec_ai_machine_learning_101 4:37 Tomas Fernandez - https://www.conf42.com/DevSecOps_2023_Tomas_Fernandez_technical_writing_ai_career_path cloud 5:12 Fouad Mulla - https://www.conf42.com/DevSecOps_2023_Fouad_Mulla_cloud_security_containers_infra_workloads 6:03 Gufran Mirza - https://www.conf42.com/DevSecOps_2023_Gufran_Mirza_securing_kubernetes_istio_service_mesh deep dive 6:30 Tanya Janca - https://www.conf42.com/DevSecOps_2023_Tanya_Janca_more_than_pipelines 7:28 Alex Olivier - https://www.conf42.com/DevSecOps_2023_Alex_Olivier_modernizing_auth_decoupled_abac 7:52 Gene Gotimer - https://www.conf42.com/DevSecOps_2023_Gene_Gotimer_doom_devsecops 8:33 Muralidhar Basani - https://www.conf42.com/DevSecOps_2023_Muralidhar_Basani_simplifying_kafka_governance 9:04 Robert Hodges - https://www.conf42.com/DevSecOps_2023_Robert_Hodges_monitoring_open_source_analytics_visualization 9:44 Romano Roth - https://www.conf42.com/DevSecOps_2023_Romano_Roth_architect_continuous_delivery 10:32 Chester Santos - https://www.conf42.com/DevSecOps_2023_Chester_Santos_instant_memory_training observability 11:20 Roni Dover - https://www.conf42.com/DevSecOps_2023_Roni_Dover_opentelemetry_code_prod 12:05 Siddhartha Khare - https://www.conf42.com/DevSecOps_2023_Siddhartha_Khare_opentelemetry_path_observability secrets 12:49 Daniel Oates-Lee - https://www.conf42.com/DevSecOps_2023_Daniel_OatesLee_git_secrets_repos 13:30 Alex Soto - https://www.conf42.com/DevSecOps_2023_Alex_Soto_kubernetes_secrets_secret 14:08 Brian Contos - https://www.conf42.com/DevSecOps_2023_Brian_Contos_hacking_demos_secrets_asset_intelligence 14:47 Sam Gabrail - https://www.conf42.com/DevSecOps_2023_Sam_Gabrail_secrets_management_gitops_argocd_hashicorp_vault_injector security 15:42 Michal Davidson - https://www.conf42.com/DevSecOps_2023_Michal_Davidson_cybersecurity_security_domains 16:31 Danish Tariq & Hassan Khan Yusufzai - https://www.conf42.com/DevSecOps_2023_Danish_Tariq_Hassan_Khan_Yusufzai_supply_chain_npm_attacks 17:47 Dwayne McDaniel - https://www.conf42.com/DevSecOps_2023_Dwayne_McDaniel_detecting_honeytokens 18:27 Fulvio Colombrino - https://www.conf42.com/DevSecOps_2023_Fulvio_Colombrino_detect_known_unknowns 18:57 Jhonnatan Gil Chaves - https://www.conf42.com/DevSecOps_2023_Jhonnatan_Gil_Chaves_security_development_continuous_delivery 19:47 Marek Najmajer & Aleksander Baranowski - https://www.conf42.com/DevSecOps_2023_Marek_Najmajer_Aleksander_Baranowski_beyond_sbom_risk_assessment 20:34 Peleg Porat - https://www.conf42.com/DevSecOps_2023_Peleg_Porat_configurations_weak_link_chain 20:55 Travis Gosselin - https://www.conf42.com/DevSecOps_2023_Travis_Gosselin_fortifying_codebase_github 21:40 Zach Wasserman - https://www.conf42.com/DevSecOps_2023_Zach_Wasserman_securing_endpoint_open_software 22:00 Joshua Arvin Lat - https://www.conf42.com/DevSecOps_2023_Joshua_Arvin_Lat_iac_security_best_practices 22:18 Grzegorz Sztandera - https://www.conf42.com/DevSecOps_2023_Grzegorz_Sztandera_devopssup_extended_devops_one_team 23:11 Jagdsh Chand - https://www.conf42.com/DevSecOps_2023_Jagdsh_Chand_iterative_threat_modelling_agile_development tools 23:55 Leonid Akinin - https://www.conf42.com/DevSecOps_2023_Leonid_Akinin_trusty_package_ttps_oss_python 24:32 Timo Pagel - https://www.conf42.com/DevSecOps_2023_Timo_Pagel_metricca_software_metrics_collection_analysis 25:15 thank you, join discord ➤ https://discord.gg/DnyHgrC7jC

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Andrey_Slastenov_iot_5g_devices_ddos_threat_landscape Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:21 ddos attack trends 3:49 the danger of 5g and iot 5:58 anatomy of iot-driven botnet ddos attacks 6:15 algorithm of iot-driven botnet ddos attackes 8:08 stages of infecting iot devices 10:51 iot attacks on the rise 11:27 threats of losses when ddos attacks happen 12:54 protection measures: best practices 15:51 example of iot botnet attack from gcore 18:18 what helpo us to sustain such kind of attacks? 20:31 conclusion

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Susie_Su_revolution_iot_workforce Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:07 about susie 2:52 #1 aiot (ai of things) 5:05 #2 devops in aiot 15:38 #3 ai security 29:22 summary

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Rich_Niemiec_ai_machine_learning_101 Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:10 where to use ai & ml 101 2:44 about viscosity 3:40 agenda 4:47 the economic potential of genai 5:13 symbiotic coming relationship; you & robots 5:53 the brain center at whipple's & chatgpt 6:23 robotics / automation impact to jobs 6:50 leverage - db, gps & robotics 6:57 the obsolete man 7:22 autonomous database - replacing the dba? 7:44 biju thomas - emerging jobs (devloper/dba) 8:11 characteristics of big data - the five v's 8:38 converged database 8:43 what you need; nick of time 9:49 a robot may not look like one! 10:10 autonomous db : future dba & robot db 10:56 oracle machine learning: brief highlights only 11:17 ml process (supervised learning) 12:34 business understanding 13:18 oaa model build and real-time sql apply 14:29 dbms_data_mining oracle algorithms 14:43 ml learning in adw/atp 16:10 a game of pool 16:49 oracle ml algorithms and analytics in oracle db 17:12 decision tree algorithm (ml classifier) 17:47 oml (oaa) oracle data mining sql sample (partial) 18:25 random forest (ml classifier) 18:50 neural network 20:29 one-class svm (ml anomaly detection) 21:15 hierarchical k-means (ml cluster) 21:52 seasonal, irregular & missing data: time series algorithm 22:28 linear model (regression) 22:52 generalized linear model (glm) 23:21 principal component analysis (attribute importance) 24:26 living doll 24:43 apriori / market based (association rules) 25:20 singular value decomposition (feature extraction) 25:31 principal component analysis (feature extraction) 25:47 in his image 26:11 number 12 looks like you (2020) 26:22 sql analytics (windows / patterns / aggregates) 26:56 statistical functions in oracle (partial list) 27:06 ml ffunctions - oracle docs 27:48 autml is here for autonomous db 28:15 time enough at last for ml with automl 28:55 ml & ai - oracle's built-in algorithms 29:05 biju thomas at odtug 29:10 ml & business apps 29:55 applications - ai powered; analytics & ml 30:16 oracle genai 30:32 sql generation from natural language using llm 31:10 think of it as an assistant (60-70%) 32:03 apex development speed- genai 33:25 genai writes the sql 33:41 what's next: a worldwide race to build ai 34:26 healthcare driving oracle to better ai products 34:40 oracle driving first responders with tesla 34:50 openai - ten years later... the baby talks! 35:21 generative ai - things to know... 36:20 chat gpt 36:45 google's bard 37:20 transformers - google, 2017 38:04 generative ai: gpt & chatgpt 38:35 chatgpt-4 38:51 oracle vector db 39:25 from juan loaiza interview 40:23 vecotr search 40:49 create table with vector data type & blob 42:36 retrieval augmented generation 43:03 answer detailed questions / supply manuals 43:29 ask question & reference document ai searches 44:06 from stanford paper 44:54 robots we grew up with... movie robots... closer to the future... today's robots 45:38 genai inside apex, sensors, robots... etc. 45:53 use oracle va with robots 46:03 db, ai & vr 46:25 a world of difference (getting closer) 47:05 the after hours (future sentience issues ahead) 47:36 the digital transformation ahead 48:11 digital - how did we go from magical to toxic? 48:59 gartner 2020 hype cycle 49:49 quantum computing makes ml fast enough! 50:14 3 types of ai 50:42 final thoughts 51:26 summary 53:12 thank you!

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Tomas_Fernandez_technical_writing_ai_career_path Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC More Tomas ➤ https://tomfern.com/ Chapters 0:00 intro 1:43 preamble 2:05 yes, but it depends 2:16 technology has always advanced 2:48 what makes ai and llms different? 3:41 5 reasons we shouldn't worry 3:56 #1 the hype cycle 4:53 #2 ai failed to replace writers before 6:04 #3 ai has its share of limitations 8:25 #4 we benefit from ai 11:37 #5 writing is 20% of the job 12:26 conclusion 13:14 thank you!

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Fouad_Mulla_cloud_security_containers_infra_workloads Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:27 stats 3:56 about fouad 4:22 agenda 5:04 introduction 6:56 challenges in container security 10:45 cloud container vulnerabilities 13:29 containers security : devsecops 16:25 enhancing security: beyond the defaults 19:40 automated vulnerability management 20:06 clair 20:44 configuration management and network segmentation 22:47 key takeaways 23:53 thank you

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Gufran_Mirza_securing_kubernetes_istio_service_mesh Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:06 talk outline 2:35 what is a service mesh 3:27 istio features 4:32 important terminology 4:57 before istio 5:37 pod with sidecar 6:25 sidecar proxy 7:07 how is the sidecar injected 7:57 with istio - sidecar intercepts all traffic 8:29 istio architecture 9:26 service mesh security 9:37 service identities - the starting point 10:52 conversion of identity into a certificate 11:52 identity provisioning workflow 12:23 authentication 13:42 auth flow 14:35 peer authentication 15:48 demo 22:22 ingress gateway 26:07 demo 32:32 authorization 34:39 auth flow 35:15 demo 41:22 questions?

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Tanya_Janca_more_than_pipelines Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Tanya's channel ➤ @SheHacksPurple Chapters 0:00 intro 1:43 preamble 2:15 what are we going to talk about today? 3:21 tanya janca 4:24 what is devops? 4:40 what is ci/cd? 5:58 why ci/cd? 7:28 what is application security? 8:01 what is devsecops? 8:37 the three ways of devops 9:46 but what about pipelines? 11:03 an application security program 11:48 inventory 13:09 finding bugs 15:09 knowledge 16:03 education 17:36 give developers security tools 18:39 secure-sdlc 21:23 tools (outside the pipeline) 22:37 incident response 23:52 metrics 25:31 summary 26:41 resources 27:28 join the community!!!!!! 28:49 resources: me! 29:20 thank you!

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Alex_Olivier_modernizing_auth_decoupled_abac Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Cerbos Project ➤ https://cerbos.dev/ Chapters 0:00 intro 1:43 preamble 1:50 about alex 2:52 authn ≠ authz 4:05 let's scale a company 4:16 stage 1 - the blissful days of roles 4:58 stage 2 - let's change our product packaging 6:07 stage 3 - let's sell into another region 7:31 stage 4 - let's sell to 'enterprise' organisations 8:55 stage 5 - new ciso: let's get iso27001 / soc2 10:16 stage 6 - we need microservices! 11:57 a new approach 13:23 authorizaion-as-a-service? 14:09 code to policy 15:41 rise of sidecars 16:52 in practice 21:15 advantages, challenges 24:16 about cerbos 25:00 thanks

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Gene_Gotimer_doom_devsecops Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:14 slow onboarding 3:09 "cloud" 3:55 "agile" 5:02 change control board 6:15 afraid to fail 7:25 unchanging culture 8:37 unchanging policies 9:48 too many decision makers 10:43 too many metrics 11:29 unrealistic expectations 12:09 summary, reach out!

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Muralidhar_Basani_simplifying_kafka_governance Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:09 apache kafka in brief 3:38 what is governance ? 4:07 kafka environment & challenges 5:33 questions arise 6:30 how to manage kafka ? 7:29 what is klaw ? 9:25 klaw architecture 10:57 request / approval 11:23 demo : a simple user journey 13:02 demo of consumer acl 15:29 demo of schema request 17:31 demo of topic promotion 19:58 demo of synchronize topics 22:02 does klaw fit in your project ? 22:34 project links 22:50 thanks!

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Robert_Hodges_monitoring_open_source_analytics_visualization Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:07 about robert 3:21 monitoring is for answering questions 3:55 what's the best way to answer these questions? 4:36 off-the-shelf solutions? perhaps not for you... 5:23 let's build a monitoring system with open source 6:06 pick an opne source analytic database 7:22 a short list of reasons why clickhouse is popular 8:50 clickhouse optimizes for fast response on large datasets 10:35 ...and supports [many] dozens of input formats 11:16 it also has great support for time-ordered data 12:30 grafana pairs well with clickhouse for observability apps 14:00 sooo... how do we ingest vmstat data and display it? 14:23 step 1: generate vmstat data 15:12 here's the output 15:38 step 2: design a clickhouse table to hold data 17:28 step 3: load data into clickhouse 18:23 step 4: build a grafana dashboard to show results 19:26 step 5: go crazy! 20:12 demo 26:38 more software to build monitoring on clickhouse 27:51 where can i find out more? 28:54 thank you and have fun!

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Romano_Roth_architect_continuous_delivery Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 1:51 about romano 3:41 today's challenges 5:55 where do these challenges come from? 6:48 it's about products! 8:07 devops is here to help 8:36 who is devops 10:01 why is this important for you? 10:45 example? 13:14 the 24 key capabilities that drive improvements in software delivery performance 17:21 the science behind devops 18:09 the benefits of the devops 19:00 product development 21:32 built-in quality 22:22 test fast for continuous feedback 24:57 the right balance of tests 26:16 continuous testing 27:51 built-in security 28:17 the continuous delivery pipeline 28:57 what the platform vendors promise... 30:59 continuous security 32:09 built for operability 33:34 evolution of monitoring 35:46 we need to architect for operability 37:20 build a platform 38:18 you need to take care about the full stack 39:35 think about that on scale... 40:41 platform engineering enables devops in product teams 42:57 platform engineering scales the platform to multiple product teams 44:11 summary 45:54 we are entering the age of industrialization of software development

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Chester_Santos_instant_memory_training Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 talk

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Roni_Dover_opentelemetry_code_prod Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Contact Roni ➤ roni.dover@gmail.com Chapters 0:00 intro 1:43 preamble 2:10 about roni 2:54 coding practices are changing 3:38 how i wrote code yesterday 5:37 technology is allowing us to leverage more data 6:40 what you know about your code? 8:33 here be dragons 9:20 instead... 10:28 those who don't know, troubleshoot 11:35 fact or fiction? 14:25 the would be 10x developer 14:52 where feedback is missing 17:33 back to the source 20:21 why is otel so important? 23:35 what is tracing? 25:32 what a trace looks like? 26:03 automatic vs. manual instrumentation 26:45 how to use otel when developing 27:56 demo 54:08 reach roni

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Siddhartha_Khare_opentelemetry_path_observability Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 1:58 whoami 2:17 agenda 2:33 how many tools companies use to collect telemetry data? 2:51 monitoring vs observability 4:03 why observability 5:10 opentelemetry 7:11 second most active cncf project 7:26 core concepts opentelemetry 8:36 - instumentation 9:40 - collector 14:06 - sampling config 15:30 way to export 16:18 industry adoption 18:27 recap and highlights 19:11 reach out, thanks!

Read the abstract ➤https://www.conf42.com/DevSecOps_2023_Daniel_OatesLee_git_secrets_repos Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:25 whoami 4:08 whoarewe 4:45 content 5:32 what is the problem? 12:48 what can go wrong? 18:36 how do we defend? 27:53 secretmagpie? 34:18 questions? 34:32 thanks

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Alex_Soto_kubernetes_secrets_secret Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:29 about alex 2:51 what is a secret 3:36 it's about layers 5:14 what is devops and gitops? 7:51 what is gitops? 10:23 gitops application delivery model 16:05 protecting secrets stored in git 16:48 sealerd secrets 20:27 external secrets 24:00 demo 32:54 encryption data at rest 34:37 encrypt etcd data 36:16 possible solutions 38:25 how we indect etcd secrets into deployments 41:02 hashicorp vault 42:28 the good, the bad and the ugly 45:34 demo 50:46 secrets lifecycle 51:23 conclusions 53:20 thank you 53:38 resources

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Brian_Contos_hacking_demos_secrets_asset_intelligence Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 1:58 asset intelligence 4:12 dirty secrets: xiot 6:08 internet-accessible xiot 8:13 research stats 10:46 dangerous lies - common xiot attack types 11:18 rsocks common xiot attack types 12:55 - physical 13:15 - fronton 14:09 - oem attacks 14:19 - illegal xiot devices 16:08 - pivot attacks 16:19 - quietexit 20:27 demo 1 - industrial camera 25:34 demo 2 - hacking industrial robots 34:38 remediation, visibility with an asset intelligence platform 36:45 try it. a free poc only takes 60 minutes 37:18 thanks

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Michal_Davidson_cybersecurity_security_domains Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Contact Michal ➤ michalsaraw@gmai.com Chapters 0:00 intro 1:43 preamble 1:56 about michal 3:00 security domains 4:33 motivation 7:52 security domains 8:50 compliance 11:08 network security 14:33 monitoring 17:05 cryptography 21:34 security architecture 24:05 hacking 26:41 summary 27:16 additional resources 28:08 thank you

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Danish_Tariq_Hassan_Khan_Yusufzai_supply_chain_npm_attacks Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 1:55 about danish 2:37 disclaimer 2:54 supply chain 3:50 software supply chain 4:39 supply chain attacks 4:45 examples 6:11 npm (node package manager) 9:18 maintainer email address takeover 9:54 significance of maintainer email - recently 10:53 process - attacker's perspective 11:32 defensive strategy for projects or companies 13:49 research - wordl-wide-how 14:53 hassan intro 15:58 research - npm packages (domains) 22:37 impact!!! 24:48 gap that could be filled 26:04 ruby gems research approach 26:56 vulnerable ruby gem 27:24 hardest part! 27:43 some fun stuff! 28:22 another tool: script to detect dependency confusion 28:31 gemscanner 29:11 solutions 31:58 any questions? 32:22 thank you!

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Sam_Gabrail_secrets_management_gitops_argocd_hashicorp_vault_injector Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC TeKanAid Academy ➤ https://tekanaid.com/courses Chapters 0:00 intro 1:43 preamble 1:58 intro to gitops with argocd 3:38 school app introduction 4:24 school app components 5:37 school app k8s output 6:04 add vault to the school app 6:52 kubernetes auth method 8:51 the vault agent sidecar injector overview 12:02 mutation effects 13:22 vault agent config to render secrets 13:55 school app annotations example 14:58 vault agent templates overview 15:35 vault agent templates workflow 16:32 vault agent templates with annotations 18:04 demo 47:23 thank you

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Dwayne_McDaniel_detecting_honeytokens Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:00 about dwayne 2:50 let's deploy something real quick 3:12 attackers want your credentials 3:54 uber breach - september 2022 4:49 astrazeneca - november 2022 5:34 circleci - january 2023 6:44 hardcoded credentials 7:11 we know how attackers behave 7:29 what attackers want 7:54 in the 2023 of the state of secrets sprawl 9:00 a brief history of cyber deception 17:05 what is a honeytoken? 19:26 honeytoken options 19:37 open source - the diy route 21:11 commercial options - off the shelf 23:37 honeytoken best practices 29:01 let's check on our honeytoken from earlier... 31:37 in conclusion 32:42 honeytoken options 33:24 thanks, reach out!

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Fulvio_Colombrino_detect_known_unknowns Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Contact Fulvio ➤ fulvio.colombrino@virgilio.it Chapters 0:00 intro 1:43 preamble 2:39 about fulvio 3:09 pyramid of pain 4:14 is it necessary ? 5:23 three main focus poins of the pandora project 6:45 a tailored defensive solution 7:37 ttp based threat hunting 8:47 methodology workflow 12:43 baseline and its impact 15:16 threat model 16:06 testing environment 17:53 deliverables 19:05 use case 20:44 testing phase 21:05 results 22:09 what next ? 23:24 thank you, questions ?

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Jhonnatan_Gil_Chaves_security_development_continuous_delivery Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:08 who is jhonnatan gil? 3:09 agenda 3:40 containerized applications? 7:23 how to help on sdlc 13:26 general challenges 14:33 image vulnerabilities 16:48 misconfigurations 20:09 supply chain attacks 23:18 identity and access management (iam) 25:18 address on sdlc 27:28 demo 42:09 conclusion 43:55 brief resume 44:30 survey 44:43 thank you 45:08 references

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Marek_Najmajer_Aleksander_Baranowski_beyond_sbom_risk_assessment Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:03 agenda 2:59 marek and aleksander 3:37 risk model 5:49 fundamentals 7:15 whys and whats of software composition analysis 8:36 risks - what if we don't? 9:35 software composition analysis - risk management (scarm) 12:01 contributor profile 16:29 project activity = project dynamics 19:56 code quality 22:27 vulnerabilities (cve dynamics) 26:37 how to plug it into the software deployment pipeline? 28:57 production pipeline 30:09 devsecops by linux polska 30:48 how to make it happen? just start... 32:33 new web service platform... 34:31 streamline your security assessments 35:45 sourcemotion 35:54 thank you, contact us!

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Peleg_Porat_configurations_weak_link_chain Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Configu Project ➤ https://github.com/configu/configu Chapters 0:00 intro 1:43 preamble 2:26 who is peleg 2:51 what we will cover 4:06 software bible 5:28 common types of misconfigurations 7:01 permission issues 10:17 unencrypted files and risks 12:53 challenges in monitoring changes 15:34 the automation gap 17:50 defence 20:27 introduction to configu 21:21 managing permissions effectively 23:57 ensuring data encryption 26:14 effective monitoring techniques 27:27 embracing automation 29:12 thank you for your attention

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Travis_Gosselin_fortifying_codebase_github Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC More Travis ➤ https://travisgosselin.com/ Chapters 0:00 intro 1:43 preamble 2:08 about travis 2:30 what is developer experience? 3:53 coding reality 6:50 github feature releases 7:19 security & tooling 9:07 dependabot 22:03 advanced security 37:50 thank you

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Zach_Wasserman_securing_endpoint_open_software Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:12 about zach 2:38 what is an endpoint? 3:35 osquery 4:44 select * from users; 6:57 select * from processes 7:38 about fleet 9:54 demo 15:27 deployment 16:43 architecture 17:39 osquery deployment 18:43 thank you!

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Joshua_Arvin_Lat_iac_security_best_practices Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 1:54 about joshua 2:31 let's begin 6:22 tag resources properly 7:05 avoid insecure defaults and regurarly check for announcements in cloud platforms 8:51 secret management & permission management 10:17 why? 12:43 track and manage changes using version control tools 15:05 use pipelines to analyze security vulnerabilities automatically 15:30 be careful when managing resources with iac in pipelines! 16:40 poisoned pipeline execution 17:10 protect specific resources from accidental deletion or modification 18:02 the end

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Grzegorz_Sztandera_devopssup_extended_devops_one_team Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:12 lodz city 2:25 who is grzegorz 3:15 pipeline 4:01 devopssup - plug-in approach operations team 8:31 - building 14:07 - overview 19:44 - management 24:18 - future 25:07 - projects 26:46 - statistics 28:55 service event assistant 30:08 flight components 30:49 assistance drug tests 31:49 takeaways 34:45 in case of issues... 35:24 thank you

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Jagdsh_Chand_iterative_threat_modelling_agile_development Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 about jags 2:25 expectations 2:55 threat modelling 3:49 misconceptions about tm 5:18 agile threat modelling 8:11 owasp juice shop 9:26 before starting... 11:05 example: security objective 12:12 what do we want to accomplish? - scoping 13:10 example: scoping 13:44 what are we building? software-centric approach 14:44 example: data flow diagram 15:45 what can go wrong? - evil brainstorming 16:42 methodology. No 'best' way 17:23 spoofed identity 19:50 tampering with input 20:47 repudiation of action 21:33 information disclosure 22:53 denial of service 23:23 elevation of privilege 24:09 example: applying stride 25:07 what are we going to do about it? - prioritize 26:26 example: prioritize 28:45 mitigation 29:51 example: mitigation 30:41 did we do a good job? - reflect... 31:50 iterative threat modelling ...and repeat 33:44 ways of running the workshop 34:39 learn more 35:26 threat modelling in software development lifecycle 36:34 what was the mnemonic again?!?! 36:44 takeaways

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Leonid_Akinin_trusty_package_ttps_oss_python Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 preamble 2:04 disclaimer 2:28 contents 3:01 why this topic is important? 5:09 history of supply-chain attacks 8:15 ttps in supply-chain attacks 15:46 starjacking demo 33:08 installation & delivery 35:55 - demo 46:14 exfiltration and c2 47:26 - demo 1:01:16 defences 1:11:42 credits and references 1:12:48 thank you!

Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Timo_Pagel_metricca_software_metrics_collection_analysis Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Contact Timo ➤ timo.pagel@owasp.org Chapters 0:00 intro 1:43 who is timo 2:02 agenda 2:15 devsecops maturity models 3:26 devsecops assessment 4:33 sources 5:17 metric collector and analyzer (metricca) 7:52 manual overview 8:44 threshold flow 9:51 architecture 10:12 uml 11:03 yaml 11:35 configuration.yaml 11:58 activities.yaml 12:05 analyzer task: schema creation 12:19 silverbullet? people and processes 12:55 notes 13:27 questions?