DevSecOps Days - Los Angeles

Welcome to DevSecOps Days Los Angeles!

It is very important nowadays to stay up to date with all of the cyber threats posed all over the world. It is widely known that there are not enough resources to be found to fill up every security operation center (SOC). Therefore, many organizations struggle with coping with massive amounts of new types of attacks and generated alerts from their tooling. During this session, you will learn how to hunt (and automate your hunt) for active cyber threats in your environment and contain them using integrated connections to network, endpoint, and cloud products. This session is targeted at SOC management, cyber security engineers, threat hunters, and analysts. It will touch on threat detection, investigation, and response. All the code will be made available after the session.

Take a short break, but come back soon for our next presentation!

If our organization policies are still managed through a GUI, we lose the benefits of audibility, repeatability, and testability of those policies (such as access control, scan results evaluation, and other decision-making procedures). Policy as code helps us manage policies in a declarative way and enforce them across our entire application and technology stack. To learn about policy as code, join us in this talk where we'll teach you how to get started with policy as code through open policy agent (OPA).

The areas we will cover in this talk include:

• the need for policy as code
• exploring OPA
•  understanding the constructs of a declarative policy language
•  walkthrough of implementation use cases

At the end of the session, you'll have a solid understanding of:

• the basics of policy as code
•  introducing policy as code in your technology stack
• the application of policies through the Rego language in OPA

Take a short break, but come back soon for our next presentation!

Join this session to learn how to use Custom Resource Definitions (CRD) (i.e., Kubernetes External Secrets) to configure secrets in Kubernetes independent of cloud or bare metal implementation!

Take a short break, but come back soon for our next presentation!

In our quest to secure all the things, do we jump in too quickly? In this session, we'll use Istio and Linkerd as example service meshes, and look at the features we would expect from a service mesh. We'll dive into the day-1 experience with both Istio and Linkerd, and some advanced scenarios of using the service mesh. We'll compare this to border security with an app gateway, and compare and contrast the security features, complexities, and implementation costs. You'll leave with a concrete understanding of the benefits and tradeoffs you get when you pull in a service mesh, and you'll be ready to justify the investment.

Take a short break, but come back soon for our next presentation!

When it comes to security and compliance, most software teams are aware of the various alphabets that make up a standard, be it GDPR, HIPAA or HITRUST. Planning, implementing and maintaining good-practice security are not only necessary, but can also serve as an important advantage that can be leveraged as a marketing differentiator.

But many software teams still treat security and compliance as an after-thought. Product teams of companies across various sizes consistently only prioritize the implementation of the minimum required security controls in order to do business in high-compliance spaces like HIPAA and HITRUST. Engineering teams may regularly lock horns with compliance teams when it comes to identifying what security controls they’d want to bake into their infrastructure, code, and development lifecycle; when they should make this a priority; and what the ideal depth of security coverage would look like.

This strategy can prove to be short-sighted, especially if a business is serious about staying competitive and relevant in today’s security conscious B2B and consumer markets. Inadequate attention to security and compliance risks early in the lifecycle of a product contributes to longer sales cycles due to lack of clearly defined and implemented security controls, loss of sales opportunities with products not meeting the minimum compliance requirements to compete, and a mountain of technical debt for engineering teams to resolve when compliance eventually does become a serious priority.

The answer to overcoming these challenges is to adopt a compliance-first approach to product innovation.

In this session, we’ll be talking through how product organizations can infuse security and compliance into product innovation without adversely impacting engineering delivery cycles, how to effectively prioritize security controls that can cater to a broad range of compliance regulations and frameworks like HIPAA, HITRUST and SOC 2 early in the product lifecycle, and the foundational groundwork that software teams can lay out to quickly identify and implement the right security controls as new compliance requirements emerge.

Get some lunch and stretch your legs! We'll see you soon for the rest of our program.

Most talk around DevSecOps is about putting more, and more into your pipeline, whether it is realistic, safe, logical, or not. This talk will detail when not to put something in your pipeline, and several strategies for automated security that do not require slowing down your builds.

Take a short break, but come back soon for our next presentation!

Building a mature AppSec program is critical to the success of any product by managing the most vulnerable areas of the application. How can we ensure that the DevSecOps pipeline implemented is working effectively? This presentation highlights the key measures every CISO must monitor to track the effectiveness of the AppSec maturity.

Effective outcomes were measured by tracking 6 key metrics to validate if DevSecOps was successfully implemented. When done right, DevSecOps goes well beyond “shifting security left” to “shifting security everywhere,” ensuring applications are secure in development, delivery, and in production with faster delivery when security is integrated in the DevOps pipeline with improved security posture enabling greater overall business success.

More than 85% of the applications from public app stores, like the Apple Store and Google Play, violate one or more of the top 10 risks and vulnerabilities identified by OWASP. That clearly shows that the current state of our insecure apps, and hence the importance of DevSecOps, is even more prominent today with the need for a transformational shift to improve the AppSec.

By integrating application security principles and practices into software development and operations, teams can deliver with more agility without compromising application security.

The talk will articulate how to apply the DevSecOps best practices from Gartner across the different pillars of the Continuous Delivery Pipeline. Threat Modeling as a service (TMaaS) is carried out to help discover the vulnerabilities and plug any gaps in security controls by identifying the threats and build the necessary protection into your DevSecOps workflows. With 60%-80% of today’s typical application is open source code, the primary focus is to identify and removing known open-source vulnerabilities.

Take a short break, but come back soon for our next presentation!

Being compliant to regulatory requirements, standards and policies are an important goal for any product and in turn determines the success of the business. The compliance effort involved in this, is not a one-time task but an on-going process. How is this continuous compliance accomplished in the fast-paced world of DevOps? How are the teams prepared to get the best out of the DevOps programs in order to achieve the compliance goals?

This session attempts to share a practitioner’s perspective of applying continuous compliance in DevOps programs. You will get to experience the implementation methods including an example from a real-time project involving tools and techniques, and ways to overcome the barriers in the process by organizing the security tasks and establishing accountability.

Learning Objectives:

• How Security fits in the DevOps Pipeline?
• How to implement the continuous compliance in DevOps Programs?
• The role of Security Champions in the continuous compliance journey

Summarizing what we've hear today and wrapping up the day's events