how to manage risk of your polyglot environments
play

How to Manage Risk of Your Polyglot Environments Manage Risk: - PowerPoint PPT Presentation

Jul 13, 2023 •286 likes •711 views

How to Manage Risk of Your Polyglot Environments Manage Risk: Polyglot Environments Presenters Jeff Rouse , VP Product, ActiveState Pete Garcin , Senior Product Manager, ActiveState Larry Maccherone, Head of DevSecOps Transformation,

  1. How to Manage Risk of Your Polyglot Environments

  2. Manage Risk: Polyglot Environments Presenters Jeff Rouse , VP Product, ActiveState ● Pete Garcin , Senior Product Manager, ActiveState ● Larry Maccherone, Head of DevSecOps Transformation, Comcast ●

  3. VP Product Jeff Rouse, ActiveState

  4. Manage Risk: Polyglot Environments Platform Presentation Jeff Rouse VP Product ActiveState

  5. Manage Risk: Polyglot Environments Track-record: 97% of Fortune 1000, 20+ years open source Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby Runtime Focus: concept to development to production

  6. Manage Risk: Polyglot Environments What is Polyglot? SQL

  7. Manage Risk: Polyglot Environments How Do Polyglot Environments Evolve? Technology. Best tool for the job, modern ● software projects. People. technology stacks added through ● acquisition, changes in tech leadership Time. technologies come in & out of favour; old ● languages never die.

  8. Manage Risk: Polyglot Environments Every Organization is Polyglot Any desktop application with an online ● component. YAML configuration used with any project. ● An application with embedding scripting. ●

  9. Manage Risk: Polyglot Environments Adding a Language Source: ActiveState Developer Survey 2018, Open Source Runtime Pains

  10. Manage Risk: Polyglot Environments Rank the Challenges Source: ActiveState Developer Survey 2018, Open Source Runtime Pains

  11. Manage Risk: Polyglot Environments Stability & Security → Painful Source: ActiveState Developer Survey 2018, Open Source Runtime Pains

  12. Manage Risk: Polyglot Environments Hidden Costs 75% Managing dependencies Source: ActiveState Developer Survey 2018, Open Source Runtime Pains

  13. Manage Risk: Polyglot Environments Benefits Speed. Ship faster: better products, better ● innovation. Recruitment. Be attractive workplace: enable ● coders to choose the tools they need.

  14. Manage Risk: Polyglot Environments Drawbacks Variability. Tooling support & programming ● language quality. Expertise Gap. Deep core competency at odds with ● breadth of programming languages. Dependencies. Larger pool of dependencies. ● Support Costs. Unable to centralize, maintenance. ●

  15. Manage Risk: Polyglot Environments Presentation Title Title color by theme Magnified Issues How will you monitor, identify and resolve? Most important tex. tipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute Production bugs, Common Vulnerabilities & Exposures (CVE), irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. threats; additional risk exposure with 3rd party dependencies. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Equifax Breach: out of date 3rd party dependency

  16. Presentation Title Resolutions Reduce Reduce Reduce Reduce Attack Libs Tools Services Surface Robust Processes, Automated and Centralized for Visibility

  17. Senior Product Manager Pete Garcin, ActiveState

  18. Manage Risk: Polyglot Environments Platform Presentation Pete Garcin Senior Product Manager ActiveState

  19. Manage Risk: Polyglot Environments Automated Processes

  20. Manage Risk: Polyglot Environments

  21. Manage Risk: Polyglot Environments Automating Environments Automate. ● Bundle. ● Simplify Shares. Encourage adoption of common ● environments.

  22. Manage Risk: Polyglot Environments

  23. Manage Risk: Polyglot Environments

  24. Manage Risk: Polyglot Environments Solving Core Problems Environment Dependency Workflow Configuration Management Configuration

  25. Manage Risk: Polyglot Environments Best Practices - Build Eng & Development Build Standard Reproduce & Manage Shrink Build

  26. Manage Risk: Polyglot Environments Best Practices - Development to Production Monitor Runtime Get Updates

  27. Manage Risk: Polyglot Environments Benefits to You Dev Zen Same Same Time

  28. E7: SDL Self Assessment | 28 Security at the Speed of Software Development Presented by: Larry Maccherone DELETE A lean/agile transformation approach to achieving a DevSecOps culture Privileged and Confidential The approach for Comcast’s Secure Development Lifecycle (SDL) initiative

  29. E7: SDL Self Assessment | 29 DELETE Larry Maccherone Larry Maccherone LinkedIn.com/in/LarryMaccherone Larry_Maccherone@Comcast.com Privileged and Confidential

  30. Security practices on DevOps continuum ➔ DevSecOps • Analysis → Learning • Pen testing (Vuls found → Test scripts) • Defect/Incident 3-step • Compliance validation (PCI, etc.) • New attack surface? • Fuzzing Plan to update threat model • • Test security features Restore/maintain service for • Common abuse cases non-attack usage • Break the build • RASP auto respond code analysis • Roll-back or toggle off • Block attacker • Shut down services • Static/IAST analysis • Abuse case tests • Code review • Intrusion detection • App attack detection • Threat modeling → backlog items • Analyze/Predict → backlog items • • Log information for If we do X will it mitigate Y? • Design complies with policy? • Configuration validation • after-incident analysis Capacity forecasting • Feature toggles/Traffic • Learning → Update playbooks shaping configuration and Training • Secrets management

  31. That’s a lot of stuff! How do we get development teams to adopt?

  32. E E X X A A M M P P L L E E 3 2

  33. E E L L P P Visualizing an Org’s M M A A practices X X E E

  34. Dev [Sec] Ops is … empowered engineering teams taking ownership of how their product performs in production [including security] LinkedIn.com/in/LarryMaccherone

  35. Build security in more than bolt it on Rely on empowered engineering teams DevSecOps Manifesto more than security specialists Implement features securely more than security features Rely on continuous learning more than end-of-phase gates Build on culture change more than policy enforcement

  36. We, the Security Team … Recognize that Engineering Teams … Pledge to … • • Want to do the right thing Lower the cost/effort side of any investment in • Are closer to the business context and will developer security tools or make trade-off decisions between security practices and other risks • Assist 2x as much with • Want information and advice so those preventative initiatives as trade-off decisions are more informed we beg for your assistance reacting to security incidents Understand that … • We are no longer gate keepers but rather tool-smiths and advisors

  37. DevSecOps Tool Landscape Primary Code Analysis Dynamic • Exercises app via UI/API IAST Fuzzing (black box) • Senses vulnerability by response to input for code you write (1st • Runtime code analysis (PCA) • Instruments system (to varying degrees) • Zero? false positives. Report is an exploit • Combine dynamic/static • Sends unexpected input at API • High false negatives • Low false positives • Looks at response and instrumentation output • Difficult to implement especially w/ auth party) • Depends on test coverage • Great for testing protocols like SIP • Sometimes hard to find code to remediate • Immature but getting there • Good for REST APIs • Potentially long run times Static Analysis (aka SAST) • Hard to find code to remediate • Looks at source code • Data/control flow analysis • Prone to false positives • Rapid feedback for developers • Code fix suggestions Software Composition Analysis (SCA) for code you import (3 rd party) Runtime Application • Identifies dependency and version Security Protection • Checks CVE/NVD + … for reported (RASP) vulnerabilities • Often uses same engine • Proposes version/patch to remediate as IAST • Checks license vs policy • Reports on “bad” • Runs fast behavior • Easy to implement • Can abort transaction or • Best bang for buck! kill process to protect

  39. • Questions? • Pilot this DevSecOps What’s transformation framework next? with a few of your teams • Connect with me on: LinkedIn.com/in/LarryMaccherone LinkedIn.com/in/LarryMaccherone

  40. Q & A

  41. What’s Next Watch a demo: ● https://www.youtube.com/watch?v=c5AIxN9ehrI Get a demo marketing@activestate.com ● Contact us for the language build you need: ● platform@activestate.com

  42. Manage Risk: Polyglot Environments Where to find us Tel: 1.866.631.4581 Website: www.activestate.com Twitter: @activestate Facebook: /activestatesoftware

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Risk Manage me nt and I nte rnal Co ntro l fo r Churc he s 1 Pr ac tic al Chur c h R isk

Risk Manage me nt and I nte rnal Co ntro l fo r Churc he s 1 Pr ac tic al Chur c h R isk

Risk Manage me nt and I nte rnal Co ntro l fo r Churc he s 1 Pr ac tic al Chur c h R isk Manage me nt In most churches, risk management is addressed in piecemeal form, and on a reactive basis. 2 Pr ac tic al Chur c h R isk Manage me nt

445 views • 23 slides
2016 Presentation Descriptions Rewards of Risk: Interplay of Risk, Culture, and Objectives Drew

2016 Presentation Descriptions Rewards of Risk: Interplay of Risk, Culture, and Objectives Drew

2016 Presentation Descriptions Rewards of Risk: Interplay of Risk, Culture, and Objectives Drew Leemon, National Outdoor Leadership School Wilderness and adventure programs and organizations that work in remote environments have to manage risks.

306 views • 4 slides
Graph Databases for Polyglot Persistence with NotaQL 2017-03-08 Johannes Schildgen

Graph Databases for Polyglot Persistence with NotaQL 2017-03-08 Johannes Schildgen

Transformations on Graph Databases for Polyglot Persistence with NotaQL 2017-03-08 Johannes Schildgen schildgen@cs.uni-kl.de Yannick Krck Stefan Deloch Polyglot Persistence 3 Polyglot Persistence db.product.insert ({})

626 views • 50 slides
Polyglot Web Development With Grails 2 QCon SF 2012 Jeff Brown Grails Core Developer

Polyglot Web Development With Grails 2 QCon SF 2012 Jeff Brown Grails Core Developer

Polyglot Web Development With Grails 2 QCon SF 2012 Jeff Brown Grails Core Developer SpringSource jbrown@vmware.com @jeffscottbrown Polyglot? In the context of compu/ng, a polyglot is a computer

162 views • 14 slides
How Healthy (Robust) is Your Ability to Manage Risk? Thoughts on Risk Based Thinking

How Healthy (Robust) is Your Ability to Manage Risk? Thoughts on Risk Based Thinking

How Healthy (Robust) is Your Ability to Manage Risk? Thoughts on Risk Based Thinking Requirements in ISO 9001:2015 Presented at the March 17, 2016 ASQ Delaware Section Dinner Meeting Ron Makar (ASQ) CBA, CHA, CQA, CQE, CMQ/OE Principal

660 views • 39 slides
Assessing'the'exposure'to'risk'and' techniques'to'continually'identify' and'manage'new'risk

Assessing'the'exposure'to'risk'and' techniques'to'continually'identify' and'manage'new'risk

Assessing'the'exposure'to'risk'and' techniques'to'continually'identify' and'manage'new'risk Kevin&Lindsay Deputy&Head&of&Financial&Crime&Group

374 views • 10 slides
Credit Risk T ransfer Solutions RISK MANAGEMENT 4 STRATEGIES TO MANAGE CREDIT RISK TRANSFER

Credit Risk T ransfer Solutions RISK MANAGEMENT 4 STRATEGIES TO MANAGE CREDIT RISK TRANSFER

Credit Risk T ransfer Solutions RISK MANAGEMENT 4 STRATEGIES TO MANAGE CREDIT RISK TRANSFER Avoidance Acceptance Limitation *Most use one of several strategies on a single counterparty CREDIT RISK TRANSFER TOOLS TRADITIONAL Letter of

407 views • 17 slides
Banker has to Manage Credit

Banker has to Manage Credit

10/5/2018 Banker has to Manage Credit Risk, Interest Rate Risk, and Liquidity, and still earn a profit A Business in a set of Financial Statements Balance Sheet

224 views • 6 slides
Graal, GraalVM, Truffle: What do they mean for polyglot developers? 26-27th March 2018 59th

Graal, GraalVM, Truffle: What do they mean for polyglot developers? 26-27th March 2018 59th

Graal, GraalVM, Truffle: What do they mean for polyglot developers? 26-27th March 2018 59th CREST Open Workshop UCL Presentation: live slides http://bit.ly/graal-polyglot-devs About me - Software Engineer - Interests: code quality, testing,

572 views • 38 slides
POLYGLOT WITH GRAALVM O S C O N 2 0 1 9 / M I C H A E L H U N G E R / @ M E S I R I I

POLYGLOT WITH GRAALVM O S C O N 2 0 1 9 / M I C H A E L H U N G E R / @ M E S I R I I

POLYGLOT WITH GRAALVM O S C O N 2 0 1 9 / M I C H A E L H U N G E R / @ M E S I R I I MICHAEL HUNGER Caretaker General, Neo4j Head of Neo4j Labs Disturber of the Peace Java Champion (graphs)-[:ARE]->(everywhere) Twitter &

1.14k views • 97 slides
Reinsurance A solution to manage longevity risk M. SAUNIER P. VALADE 11 Longevity Lyon

Reinsurance A solution to manage longevity risk M. SAUNIER P. VALADE 11 Longevity Lyon

Reinsurance A solution to manage longevity risk M. SAUNIER P. VALADE 11 Longevity Lyon 9 Septembre 2015 Longevity risk transfer The risk is defined as : Effect of uncertainty on objectives The longevity risk can be seen as

398 views • 23 slides
C R E AT I N G A N E F F E C T I V E S A F E T Y C O M M I T T E E . . . WHAT IS RISK

C R E AT I N G A N E F F E C T I V E S A F E T Y C O M M I T T E E . . . WHAT IS RISK

PERMA Annual Conference 2016 We can work it out! C R E AT I N G A N E F F E C T I V E S A F E T Y C O M M I T T E E . . . WHAT IS RISK MANAGEMENT? The Process of Identifying and Evaluating Risk and Developing Strategies to Manage

878 views • 31 slides
Gambling Lesson one: How can we manage risk? What should our ground rules be for this series

Gambling Lesson one: How can we manage risk? What should our ground rules be for this series

Gambling Lesson one: How can we manage risk? What should our ground rules be for this series of lessons? Learning Outcomes List factors which help people to assess risk Justify why some factors should be given more weight than

719 views • 43 slides
How Local Agencies Can Better Manage Their Treasury Risk Ben Leavitt, CPA, CFE John Dominguez,

How Local Agencies Can Better Manage Their Treasury Risk Ben Leavitt, CPA, CFE John Dominguez,

How Local Agencies Can Better Manage Their Treasury Risk Ben Leavitt, CPA, CFE John Dominguez, CPA, CFE, CGMA Our Session Today Defining Risk Key Elements in a Sound Internal Control Structure Risks in Treasury Operations Is

619 views • 46 slides
FD FDF W F Webi ebinar nar: : Ri Risk sk Man Manage agemen ment t an and C d Cov

FD FDF W F Webi ebinar nar: : Ri Risk sk Man Manage agemen ment t an and C d Cov

Wel elco come me, FD FDF W F Webi ebinar nar: : Ri Risk sk Man Manage agemen ment t an and C d Cov ovid-19 19 - Presented by Global Counsel Wednesday 10 June 2020, 11:00am 12:00pm Se Sessi ssion on On One - Preparing

413 views • 25 slides
RISKY BUSINESS: How To Manage Your Best Interest Duty And Manage Claims Effectively Mark

RISKY BUSINESS: How To Manage Your Best Interest Duty And Manage Claims Effectively Mark

RISKY BUSINESS: How To Manage Your Best Interest Duty And Manage Claims Effectively Mark Everingham Managing Director of Personal Risk Professionals AGENDA Insurance inside vs outside of Superannuation Top 5 lessons to learn regarding

757 views • 43 slides
Behind the Silence Hitomi Omata Rappo An Enquiry into the Movies Swiss National

Behind the Silence Hitomi Omata Rappo An Enquiry into the Movies Swiss National

Film Screening Silence, March 24th 2017 Behind the Silence Hitomi Omata Rappo An Enquiry into the Movies Swiss National Science Foundation Fellow Visiting Researcher Historical Background Institute for Advanced Jesuit

886 views • 18 slides
The 4 Simple (But Unusual) Marketing Strategies That Transformed HubSpots Growth Hi, Im

The 4 Simple (But Unusual) Marketing Strategies That Transformed HubSpots Growth Hi, Im

The 4 Simple (But Unusual) Marketing Strategies That Transformed HubSpots Growth Hi, Im Kipp CMO at HubSpot Break-throughs If you don't have a few "Wait! we're doing it all wrong!" moments in your career, you're, well...

1.09k views • 82 slides
File I/O With Python File Opening file_reading_variable = open(filename.txt, mode )

File I/O With Python File Opening file_reading_variable = open(filename.txt, mode )

File I/O With Python File Opening file_reading_variable = open(filename.txt, mode ) Three Modes to consider: r, a, w Lorem ipsum dolor sit Lorem ipsum dolor sit Lorem ipsum dolor sit amet, consectetur amet,

223 views • 10 slides
Layered Systems Software Design and Architectures Layered Systems BSD Unix Layered Architecture

Layered Systems Software Design and Architectures Layered Systems BSD Unix Layered Architecture

Software Design and Architectures 4 Software Architectures: Layered Systems Software Design and Architectures Layered Systems BSD Unix Layered Architecture lorem 1 examples examples patten ipsum 2 responsibilities dolor 3 communication

243 views • 10 slides
Compiling Android userspace and Linux Kernel with LLVM Nick Desaulniers, Greg Hackmann, and

Compiling Android userspace and Linux Kernel with LLVM Nick Desaulniers, Greg Hackmann, and

Compiling Android userspace and Linux Kernel with LLVM Nick Desaulniers, Greg Hackmann, and Stephen Hines* October 18, 2017 *This was/is a really HUGE effort by many other people/teams/companies. We are just the messengers. :) Making large

565 views • 42 slides
The 5 th Argument Mining Workshop The Argument Mining Community is Growing 90 80 82 70 60

The 5 th Argument Mining Workshop The Argument Mining Community is Growing 90 80 82 70 60

The 5 th Argument Mining Workshop The Argument Mining Community is Growing 90 80 82 70 60 59 50 51 40 30 35 20 10 0 2015 2016 2017 2018 "Argument(ation) Mining" Number of registered # of results in Google Scholar

315 views • 7 slides
Riak to the Rescue Migrating Big Data Big Data. Buzzwords. Dont believe the Hype. Who am

Riak to the Rescue Migrating Big Data Big Data. Buzzwords. Dont believe the Hype. Who am

Riak to the Rescue Migrating Big Data Big Data. Buzzwords. Dont believe the Hype. Who am I? Support Development SysAdmin Managing Operations 8 Ops Engineers Operations 4 Offices 650 physical Operations 200 virtual 3 data centres

1.7k views • 112 slides
CS 528 Mobile and Ubicomp Lecture 3a: Data-Driven Layouts & Android Components Emmanuel Agu

CS 528 Mobile and Ubicomp Lecture 3a: Data-Driven Layouts & Android Components Emmanuel Agu

CS 528 Mobile and Ubicomp Lecture 3a: Data-Driven Layouts & Android Components Emmanuel Agu Data-Driven Layouts Data-Driven Layouts LinearLayout, RelativeLayout, TableLayout, GridLayout useful for positioning UI elements UI data is

409 views • 24 slides

More recommend