18:00 – Welcome with food and drinks
18:30 – First talk by Daniel Barbu & Bogdan Simion, Adobe
19:30 – Second talk by Cristian Pascariu, Canon
20:30 – Networking
21:00 – End
Location: Accenture, Orteliuslaan 1000, Utrecht
Go to the main entrance and follow our DevSecOps Meetup signs. Public Transport: Coming from Utrecht Central Station, take bus number 102, 107, 388, 90, 85, 24 or 195 leaving from platform C1 or C2. Take busstop "P + R Papendorp" and walk along the Deloitte building towards the Courtyard Building where the Accenture office is located. Parking: Public parking available (P+R Papendorp) with a 5-minute walk to the venue.
We are excited to have our next DevSecOpsNL meetup and see the Dutch DevSecOps community growing.
Together with Accenture, we will have another great evening with great speakers. The evening will consist of two talks by three great security professionals. We hope that you will enjoy the presentations and wish you an interesting evening. Join our Meetup group: https://www.meetup.com/DevSecOps-Netherlands/Follow us on Twitter: @DevSecOpsNL and LinkedIn: DevSecOps Netherlands
Daniel Barbu & Bogdan Simion
Summary: Building a DevSecOps mindset: stories from the trenches in the clouds
DevSecOps principles come in as an extension of the DevOps principles so that the teams not only achieve Development and Operations goals, but also simultaneously augment them with Information Security goals therefore achieving business objectives. Better security means being available and capable of easily recovering from issues, so our goals include: observe by leveraging automation to generate, track and gather evidence on demand and for operational and compliance purposes, overcome security problems before they cause catastrophic results and increase predictability of the systems.
So why not see how we engage InfoSec Early, embed security within CI/CD, implement security beyond compliance & adopt a tailored approach. At Adobe, being tasked with monitoring an environment consisting of thousands of hosts serving several products scattered across AWS, Azure and data centers in multiple geographies using different Linux and Windows flavours is the stuff of nightmares so we came up with and open sourced Hubble a modular security and compliance framework for building robust host monitoring which leverages the capabilities of Facebook’s OsQuery. Getting all teams to consistently apply most of the DevSecOps practices is a journey, neither short nor easy, but unavoidable if we want to succeed in the world of services. Bio: Daniel Barbu is a Ph.D candidate in the field of Information Security who brings passion into his daily tasks.
He enjoyed learning and growing while working at Electronic Arts, Dell Secureworks and now Adobe. As the leader of BSidesBucharest and member of OWASP Bucharest Chapter, Daniel is constantly seeking opportunities to popularize information security. On a personal note, he feels he owes his accomplishments to his wife and kids. Daniel is currently leading a team at Adobe Romania where he focuses on the growth of the team members’ skill set
For the past four years, Bogdan Simion has enjoyed working at Adobe as an Information Security Analyst, where he works to correlate large amounts of data from different environments in an effort to catch and stop threats. He is currently focusing his efforts on creating content in order to improve the host based monitoring capabilities.
Bogdan is a big Splunk and OsQuery fan among other open sourced tools.
Summary: Addressing internal threats with Continuous Application Security
In today’s day and age, no matter what the industry, companies are storing and processing a vast amount of information in various IT platforms and solutions. As the amount of data and users grows, the business needs will overshadow important aspects of the application life-cycle. Business leaders accept risks which they have very little information about. This is where a continuous application security can come as an added value, helping identify risks and collaborating on remediation plans. On a more detailed level, security practices are often divided into pillars, this presentation is all about leveraging current capabilities and services to increase the value that information security provides back to the business.
Starting with the application security assessments, these should be on a repeatable schedule, at least for the critical applications, this approach is also tailored to agile methodologies, with shorter and more frequent audits performed in each sprints. Security requirements become security user stories and are added to the backlog during planning events. Vulnerability management should be used in correlation with AppSec assessments, these automated scans will reduce the amount of human effort required. Penetration testing reports reveal not only vulnerabilities of the application, but also information about all the assets and the underlying infrastructure that can be used to consolidate the CMDB. This presentation outlines a new approach where risks that are ignored or forgotten become daily agenda items. All risks prioritized based on business impact so business leaders have greater insight and control over the future of their data.