WELCOME

Kick-Off

Join Matt and Brian as we kick off this stop of the Virtual DevSecOps Road Trip.

Speakers

Brian Vermeer, Developer Advocate at Snyk
Matt Jarvis, Director of Developer Relations at Snyk

COMMUNITY SESSION

Build a smooth ci/cd pipeline using gitops and fluxv2

Working in a fast growing company raises a wide range of technical and organisational challenges. Key points to address

• define best practices
• improve developer experience and increase ownership
• rely on a fast and secure release workflow

In this talk we will explain how we did implement our own solutions using EKS, Fluxv2, SealedSecrets and many more.”

Speakers

Mathieu Gillot, Backend Developer at KMTX
Smaïne Kahlouch, Senior Site Reliability Engineer at KMTX

COMMUNITY SESSION

Policy As Code through the Cloud Custodian rules engine

The “Everything As Code” approach is well established when it comes to defining infrastructure on the cloud. However, considering compliance rules on your platform, the picture still needs to be defined. Cloud platforms provide tools but they cannot answer all business needs. People usually tend to define specific rules through manually defined workloads.

Cloud Custodian allows you to declare such rules through a simple DSL and provides you in the process with governance and standardisation.

Speakers

Ismael Hommani, Cloud Native Developer at Wescale France
Tanguy Combe, Cloud Builder at Wescale France

WRAP UP

Closing session

Wrap up another stop on the DevSecOps Road Trip with a Q&A with today’s speakers.

WELCOME

Kick-Off

Join Matt and Brian as we kick off this stop of the Virtual DevSecOps Road Trip.

Speakers

Brian Vermeer, Developer Advocate at Snyk
Matt Jarvis, Director of Developer Relations at Snyk

COMMUNITY SESSION

From attack to writing code…what do you need to know as a developer?

We will look at a concrete attack called: “XML external entity attack (XXE)” and see how we can trace it back to writing code. The described mitigations are simple: configure your parser securely, but is it this simple? We will focus on some examples and see if we can catch the attack with tests, code reviews, etc.

Speakers

Nanne Baars, Developer at Xebia and OWASP WebGoat Project lead at Xebia

SNYK SESSION

Your Attack Surface Just Got Bigger

Building cloud-native web applications is undoubtedly awesome. However, it comes with undeniable new risks. Next to your own code, you are relying on so many other things. Blindly depending on open-source libraries and Docker images can form a massive risk for your application. The wrong package or image can introduce severe vulnerabilities into your application, exposing your application and your user’s data. Join this hands-on cloud-native live-hacking session where we’ll show common threats, vulnerabilities, and misconfigurations. Most importantly, you’ll learn how to protect your application with actionable remediation and best practices.

Speakers

Brian Vermeer, Developer Advocate at Snyk

WRAP UP

Closing session

Wrap up another stop on the DevSecOps Road Trip with a Q&A with today’s speakers.

WELCOME

Kick-Off

Join Matt and Brian as we kick off this stop of the Virtual DevSecOps Road Trip.

Speakers

Brian Vermeer, Developer Advocate at Snyk
Matt Jarvis, Director of Developer Relations at Snyk

COMMUNITY SESSION

Polyglot apps lead to polyglot security holes. It’s time to fight back!

With convenience on the developer side, based on dependencies, abstraction layers and the composition of technologies we are getting up speed in our production pipeline. But at the same time, it’s Pandora’s box in terms of security too. How can you close this gap and eliminate the weaknesses? I’ll show you how to start with free tools to protect your stack against known security vulnerabilities, increase productivity while working fast efficient and comfortable and why quality based on an excellent test-coverage will be your safety belt.

Speakers

Sven Ruppert, Developer Advocate at Jfrog

SNYK SESSION

User Profiling through Open Source Intelligence (OSINT)

When we as consumers log on to an online service with just using a single piece of information like an email address, phone number, username or via Social provider such as Facebook/Google/Twitter, what kind of information can actually be derived from that in order for somebody to run some user profiling on us?

The recon work based on openly available information out on the internet is called Open Source Intelligence (or short: OSINT) and is especially useful for marketing departments for targeted marketing activities. It allows to put together a more comprehensive user profile based on an initial single factor. However, this might not always happen with the consent of the user. This talk will give an overview of what is technically possible and what we as consumers should watch out for.

Speakers

Mathias Conradt, Senior Solutions Engineer at Snyk

WRAP UP

Closing session

Wrap up another stop on the DevSecOps Road Trip with a Q&A with today’s speakers.

WELCOME

Kick-Off

Join Matt and Brian as we kick off this stop of the Virtual DevSecOps Road Trip.

Speakers

Brian Vermeer, Developer Advocate at Snyk
Matt Jarvis, Director of Developer Relations at Snyk

COMMUNITY SESSION

Best practices for securing CI/CD pipeline

DevOps practices are in a place; containers are everywhere, pipelines are flying. We do Agile. We do DevOps. Now we try to follow security practices for protecting the deployed resources, too. This is a reason why DevSecOps is not hype anymore and is gaining more prominence. There is a lot of information about DevSecOps, but how to do it properly? Where to start? What are the best practices?

In this session, we will walk through an end-to-end scenario where we will deploy infrastructure components securely. We will build a pipeline with security in mind to protect and detect potential security flows during the build.

You will learn:
• How to build end-to-end CI/CD pipeline that builds the application and deploys infrastructure on Azure with security checks for the application, containers and infrastructure;
• What are the security tools available for CI/CD pipeline and how to implement them in the best way;
• Best practices and patterns of building security pipelines.

Speakers

Victoria Almazova, Senior Security Architect at Microsoft

COMMUNITY SESSION

Better security through code hygiene

Writing secure software is hard. Really hard. That’s why the security industry is heavily focused on building tools to make it easier to detect potential security vulnerabilities in your applications. Unfortunately, none of these tools is a silver bullet that will magically fix all your problems. Sometimes, these tools make it even worse, with their constant nagging about potential issues.

In this session, we’ll discuss how you can use a simple but effective code hygiene technique to boost the security of your applications. Additionally, following this hygiene pattern will make your code scanning tools much more effective, and a lot less annoying.

Speakers

Philippe De Ryck, Founder at Pragmatic Web Security

WRAP UP

Closing session

Wrap up another stop on the DevSecOps Road Trip with a Q&A with today’s speakers.