how to manage risk of your polyglot environments
play

How to Manage Risk of Your Polyglot Environments Manage Risk: - PowerPoint PPT Presentation

Jul 13, 2023 •286 likes •711 views

How to Manage Risk of Your Polyglot Environments Manage Risk: Polyglot Environments Presenters Jeff Rouse , VP Product, ActiveState Pete Garcin , Senior Product Manager, ActiveState Larry Maccherone, Head of DevSecOps Transformation,

  1. How to Manage Risk of Your Polyglot Environments

  2. Manage Risk: Polyglot Environments Presenters Jeff Rouse , VP Product, ActiveState ● Pete Garcin , Senior Product Manager, ActiveState ● Larry Maccherone, Head of DevSecOps Transformation, Comcast ●

  3. VP Product Jeff Rouse, ActiveState

  4. Manage Risk: Polyglot Environments Platform Presentation Jeff Rouse VP Product ActiveState

  5. Manage Risk: Polyglot Environments Track-record: 97% of Fortune 1000, 20+ years open source Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby Runtime Focus: concept to development to production

  6. Manage Risk: Polyglot Environments What is Polyglot? SQL

  7. Manage Risk: Polyglot Environments How Do Polyglot Environments Evolve? Technology. Best tool for the job, modern ● software projects. People. technology stacks added through ● acquisition, changes in tech leadership Time. technologies come in & out of favour; old ● languages never die.

  8. Manage Risk: Polyglot Environments Every Organization is Polyglot Any desktop application with an online ● component. YAML configuration used with any project. ● An application with embedding scripting. ●

  9. Manage Risk: Polyglot Environments Adding a Language Source: ActiveState Developer Survey 2018, Open Source Runtime Pains

  10. Manage Risk: Polyglot Environments Rank the Challenges Source: ActiveState Developer Survey 2018, Open Source Runtime Pains

  11. Manage Risk: Polyglot Environments Stability & Security → Painful Source: ActiveState Developer Survey 2018, Open Source Runtime Pains

  12. Manage Risk: Polyglot Environments Hidden Costs 75% Managing dependencies Source: ActiveState Developer Survey 2018, Open Source Runtime Pains

  13. Manage Risk: Polyglot Environments Benefits Speed. Ship faster: better products, better ● innovation. Recruitment. Be attractive workplace: enable ● coders to choose the tools they need.

  14. Manage Risk: Polyglot Environments Drawbacks Variability. Tooling support & programming ● language quality. Expertise Gap. Deep core competency at odds with ● breadth of programming languages. Dependencies. Larger pool of dependencies. ● Support Costs. Unable to centralize, maintenance. ●

  15. Manage Risk: Polyglot Environments Presentation Title Title color by theme Magnified Issues How will you monitor, identify and resolve? Most important tex. tipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute Production bugs, Common Vulnerabilities & Exposures (CVE), irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. threats; additional risk exposure with 3rd party dependencies. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Equifax Breach: out of date 3rd party dependency

  16. Presentation Title Resolutions Reduce Reduce Reduce Reduce Attack Libs Tools Services Surface Robust Processes, Automated and Centralized for Visibility

  17. Senior Product Manager Pete Garcin, ActiveState

  18. Manage Risk: Polyglot Environments Platform Presentation Pete Garcin Senior Product Manager ActiveState

  19. Manage Risk: Polyglot Environments Automated Processes

  20. Manage Risk: Polyglot Environments

  21. Manage Risk: Polyglot Environments Automating Environments Automate. ● Bundle. ● Simplify Shares. Encourage adoption of common ● environments.

  22. Manage Risk: Polyglot Environments

  23. Manage Risk: Polyglot Environments

  24. Manage Risk: Polyglot Environments Solving Core Problems Environment Dependency Workflow Configuration Management Configuration

  25. Manage Risk: Polyglot Environments Best Practices - Build Eng & Development Build Standard Reproduce & Manage Shrink Build

  26. Manage Risk: Polyglot Environments Best Practices - Development to Production Monitor Runtime Get Updates

  27. Manage Risk: Polyglot Environments Benefits to You Dev Zen Same Same Time

  28. E7: SDL Self Assessment | 28 Security at the Speed of Software Development Presented by: Larry Maccherone DELETE A lean/agile transformation approach to achieving a DevSecOps culture Privileged and Confidential The approach for Comcast’s Secure Development Lifecycle (SDL) initiative

  29. E7: SDL Self Assessment | 29 DELETE Larry Maccherone Larry Maccherone LinkedIn.com/in/LarryMaccherone Larry_Maccherone@Comcast.com Privileged and Confidential

  30. Security practices on DevOps continuum ➔ DevSecOps • Analysis → Learning • Pen testing (Vuls found → Test scripts) • Defect/Incident 3-step • Compliance validation (PCI, etc.) • New attack surface? • Fuzzing Plan to update threat model • • Test security features Restore/maintain service for • Common abuse cases non-attack usage • Break the build • RASP auto respond code analysis • Roll-back or toggle off • Block attacker • Shut down services • Static/IAST analysis • Abuse case tests • Code review • Intrusion detection • App attack detection • Threat modeling → backlog items • Analyze/Predict → backlog items • • Log information for If we do X will it mitigate Y? • Design complies with policy? • Configuration validation • after-incident analysis Capacity forecasting • Feature toggles/Traffic • Learning → Update playbooks shaping configuration and Training • Secrets management

  31. That’s a lot of stuff! How do we get development teams to adopt?

  32. E E X X A A M M P P L L E E 3 2

  33. E E L L P P Visualizing an Org’s M M A A practices X X E E

  34. Dev [Sec] Ops is … empowered engineering teams taking ownership of how their product performs in production [including security] LinkedIn.com/in/LarryMaccherone

  35. Build security in more than bolt it on Rely on empowered engineering teams DevSecOps Manifesto more than security specialists Implement features securely more than security features Rely on continuous learning more than end-of-phase gates Build on culture change more than policy enforcement

  36. We, the Security Team … Recognize that Engineering Teams … Pledge to … • • Want to do the right thing Lower the cost/effort side of any investment in • Are closer to the business context and will developer security tools or make trade-off decisions between security practices and other risks • Assist 2x as much with • Want information and advice so those preventative initiatives as trade-off decisions are more informed we beg for your assistance reacting to security incidents Understand that … • We are no longer gate keepers but rather tool-smiths and advisors

  37. DevSecOps Tool Landscape Primary Code Analysis Dynamic • Exercises app via UI/API IAST Fuzzing (black box) • Senses vulnerability by response to input for code you write (1st • Runtime code analysis (PCA) • Instruments system (to varying degrees) • Zero? false positives. Report is an exploit • Combine dynamic/static • Sends unexpected input at API • High false negatives • Low false positives • Looks at response and instrumentation output • Difficult to implement especially w/ auth party) • Depends on test coverage • Great for testing protocols like SIP • Sometimes hard to find code to remediate • Immature but getting there • Good for REST APIs • Potentially long run times Static Analysis (aka SAST) • Hard to find code to remediate • Looks at source code • Data/control flow analysis • Prone to false positives • Rapid feedback for developers • Code fix suggestions Software Composition Analysis (SCA) for code you import (3 rd party) Runtime Application • Identifies dependency and version Security Protection • Checks CVE/NVD + … for reported (RASP) vulnerabilities • Often uses same engine • Proposes version/patch to remediate as IAST • Checks license vs policy • Reports on “bad” • Runs fast behavior • Easy to implement • Can abort transaction or • Best bang for buck! kill process to protect

  39. • Questions? • Pilot this DevSecOps What’s transformation framework next? with a few of your teams • Connect with me on: LinkedIn.com/in/LarryMaccherone LinkedIn.com/in/LarryMaccherone

  40. Q & A

  41. What’s Next Watch a demo: ● https://www.youtube.com/watch?v=c5AIxN9ehrI Get a demo marketing@activestate.com ● Contact us for the language build you need: ● platform@activestate.com

  42. Manage Risk: Polyglot Environments Where to find us Tel: 1.866.631.4581 Website: www.activestate.com Twitter: @activestate Facebook: /activestatesoftware

Recommend

Risk Manage me nt and I nte rnal Co ntro l fo r Churc he s 1 Pr ac tic al Chur c h R isk

Risk Manage me nt and I nte rnal Co ntro l fo r Churc he s 1 Pr ac tic al Chur c h R isk

Risk Manage me nt and I nte rnal Co ntro l fo r Churc he s 1 Pr ac tic al Chur c h R isk Manage me nt In most churches, risk management is addressed in piecemeal form, and on a reactive basis. 2 Pr ac tic al Chur c h R isk Manage me nt

445 views • 23 slides
2016 Presentation Descriptions Rewards of Risk: Interplay of Risk, Culture, and Objectives Drew

2016 Presentation Descriptions Rewards of Risk: Interplay of Risk, Culture, and Objectives Drew

2016 Presentation Descriptions Rewards of Risk: Interplay of Risk, Culture, and Objectives Drew Leemon, National Outdoor Leadership School Wilderness and adventure programs and organizations that work in remote environments have to manage risks.

306 views • 4 slides
Graph Databases for Polyglot Persistence with NotaQL 2017-03-08 Johannes Schildgen

Graph Databases for Polyglot Persistence with NotaQL 2017-03-08 Johannes Schildgen

Transformations on Graph Databases for Polyglot Persistence with NotaQL 2017-03-08 Johannes Schildgen schildgen@cs.uni-kl.de Yannick Krck Stefan Deloch Polyglot Persistence 3 Polyglot Persistence db.product.insert ({})

626 views • 50 slides
Polyglot Web Development With Grails 2 QCon SF 2012 Jeff Brown Grails Core Developer

Polyglot Web Development With Grails 2 QCon SF 2012 Jeff Brown Grails Core Developer

Polyglot Web Development With Grails 2 QCon SF 2012 Jeff Brown Grails Core Developer SpringSource jbrown@vmware.com @jeffscottbrown Polyglot? In the context of compu/ng, a polyglot is a computer

162 views • 14 slides
How Healthy (Robust) is Your Ability to Manage Risk? Thoughts on Risk Based Thinking

How Healthy (Robust) is Your Ability to Manage Risk? Thoughts on Risk Based Thinking

How Healthy (Robust) is Your Ability to Manage Risk? Thoughts on Risk Based Thinking Requirements in ISO 9001:2015 Presented at the March 17, 2016 ASQ Delaware Section Dinner Meeting Ron Makar (ASQ) CBA, CHA, CQA, CQE, CMQ/OE Principal

660 views • 39 slides
Assessing'the'exposure'to'risk'and' techniques'to'continually'identify' and'manage'new'risk

Assessing'the'exposure'to'risk'and' techniques'to'continually'identify' and'manage'new'risk

Assessing'the'exposure'to'risk'and' techniques'to'continually'identify' and'manage'new'risk Kevin&Lindsay Deputy&Head&of&Financial&Crime&Group

374 views • 10 slides
Credit Risk T ransfer Solutions RISK MANAGEMENT 4 STRATEGIES TO MANAGE CREDIT RISK TRANSFER

Credit Risk T ransfer Solutions RISK MANAGEMENT 4 STRATEGIES TO MANAGE CREDIT RISK TRANSFER

Credit Risk T ransfer Solutions RISK MANAGEMENT 4 STRATEGIES TO MANAGE CREDIT RISK TRANSFER Avoidance Acceptance Limitation *Most use one of several strategies on a single counterparty CREDIT RISK TRANSFER TOOLS TRADITIONAL Letter of

407 views • 17 slides
Banker has to Manage Credit

Banker has to Manage Credit

10/5/2018 Banker has to Manage Credit Risk, Interest Rate Risk, and Liquidity, and still earn a profit A Business in a set of Financial Statements Balance Sheet

224 views • 6 slides
Graal, GraalVM, Truffle: What do they mean for polyglot developers? 26-27th March 2018 59th

Graal, GraalVM, Truffle: What do they mean for polyglot developers? 26-27th March 2018 59th

Graal, GraalVM, Truffle: What do they mean for polyglot developers? 26-27th March 2018 59th CREST Open Workshop UCL Presentation: live slides http://bit.ly/graal-polyglot-devs About me - Software Engineer - Interests: code quality, testing,

572 views • 38 slides
POLYGLOT WITH GRAALVM O S C O N 2 0 1 9 / M I C H A E L H U N G E R / @ M E S I R I I

POLYGLOT WITH GRAALVM O S C O N 2 0 1 9 / M I C H A E L H U N G E R / @ M E S I R I I

POLYGLOT WITH GRAALVM O S C O N 2 0 1 9 / M I C H A E L H U N G E R / @ M E S I R I I MICHAEL HUNGER Caretaker General, Neo4j Head of Neo4j Labs Disturber of the Peace Java Champion (graphs)-[:ARE]->(everywhere) Twitter &

1.14k views • 97 slides
Reinsurance A solution to manage longevity risk M. SAUNIER P. VALADE 11 Longevity Lyon

Reinsurance A solution to manage longevity risk M. SAUNIER P. VALADE 11 Longevity Lyon

Reinsurance A solution to manage longevity risk M. SAUNIER P. VALADE 11 Longevity Lyon 9 Septembre 2015 Longevity risk transfer The risk is defined as : Effect of uncertainty on objectives The longevity risk can be seen as

398 views • 23 slides
C R E AT I N G A N E F F E C T I V E S A F E T Y C O M M I T T E E . . . WHAT IS RISK

C R E AT I N G A N E F F E C T I V E S A F E T Y C O M M I T T E E . . . WHAT IS RISK

PERMA Annual Conference 2016 We can work it out! C R E AT I N G A N E F F E C T I V E S A F E T Y C O M M I T T E E . . . WHAT IS RISK MANAGEMENT? The Process of Identifying and Evaluating Risk and Developing Strategies to Manage

878 views • 31 slides
Gambling Lesson one: How can we manage risk? What should our ground rules be for this series

Gambling Lesson one: How can we manage risk? What should our ground rules be for this series

Gambling Lesson one: How can we manage risk? What should our ground rules be for this series of lessons? Learning Outcomes List factors which help people to assess risk Justify why some factors should be given more weight than

719 views • 43 slides
How Local Agencies Can Better Manage Their Treasury Risk Ben Leavitt, CPA, CFE John Dominguez,

How Local Agencies Can Better Manage Their Treasury Risk Ben Leavitt, CPA, CFE John Dominguez,

How Local Agencies Can Better Manage Their Treasury Risk Ben Leavitt, CPA, CFE John Dominguez, CPA, CFE, CGMA Our Session Today Defining Risk Key Elements in a Sound Internal Control Structure Risks in Treasury Operations Is

619 views • 46 slides
FD FDF W F Webi ebinar nar: : Ri Risk sk Man Manage agemen ment t an and C d Cov

FD FDF W F Webi ebinar nar: : Ri Risk sk Man Manage agemen ment t an and C d Cov

Wel elco come me, FD FDF W F Webi ebinar nar: : Ri Risk sk Man Manage agemen ment t an and C d Cov ovid-19 19 - Presented by Global Counsel Wednesday 10 June 2020, 11:00am 12:00pm Se Sessi ssion on On One - Preparing

413 views • 25 slides
RISKY BUSINESS: How To Manage Your Best Interest Duty And Manage Claims Effectively Mark

RISKY BUSINESS: How To Manage Your Best Interest Duty And Manage Claims Effectively Mark

RISKY BUSINESS: How To Manage Your Best Interest Duty And Manage Claims Effectively Mark Everingham Managing Director of Personal Risk Professionals AGENDA Insurance inside vs outside of Superannuation Top 5 lessons to learn regarding

757 views • 43 slides
Risk metrics Eric Marsden <eric.marsden@risk-engineering.org> You cant manage what

Risk metrics Eric Marsden <eric.marsden@risk-engineering.org> You cant manage what

Risk metrics Eric Marsden <eric.marsden@risk-engineering.org> You cant manage what you dont measure A measure is an operation for assigning a number to something A metric is our interpretation of the assigned number

795 views • 41 slides
Any Time, Any Place Manage Risk with innovative Cloud- based application What is RiskPoynt?

Any Time, Any Place Manage Risk with innovative Cloud- based application What is RiskPoynt?

Visualize Integrity, Gain Control, Operate Safely Any Time, Any Place Manage Risk with innovative Cloud- based application What is RiskPoynt? RiskPoynt is a Cloud based application developed and used for 10 year to visualise and manage

310 views • 10 slides
Polyglot Tutorial PLDI 2014 Steve Chong, Harvard University Chin Isradisaikul, Cornell

Polyglot Tutorial PLDI 2014 Steve Chong, Harvard University Chin Isradisaikul, Cornell

Polyglot Tutorial PLDI 2014 Steve Chong, Harvard University Chin Isradisaikul, Cornell University Andrew Myers, Cornell University Nate Nystrom, University of Lugano Overview Today: Polyglot architecture Run through of an

1.24k views • 91 slides
Workshops Liability Risk How can we manage this Alison.Hamilton@barnett-waddingham.co.uk

Workshops Liability Risk How can we manage this Alison.Hamilton@barnett-waddingham.co.uk

CIPFA Pensions Network Workshops Liability Risk How can we manage this Alison.Hamilton@barnett-waddingham.co.uk October 2012 Agenda What are the liabilities Analysing the risks Some tools to help this What about the unknowns Questions and

261 views • 22 slides
Risk Mitigation in Challenging Environments Mark Wachter Regional Security Manager- Americas

Risk Mitigation in Challenging Environments Mark Wachter Regional Security Manager- Americas

2/16/2012 Risk Mitigation in Challenging Environments Mark Wachter Regional Security Manager- Americas Travel Security Services Key Points How to enhance risk assessment/mitigation cycle Assess posture and operating profile

283 views • 13 slides
The Use of Wastewater Models to Manage Risk Thursday, January 23, 2020 1:00 3:00 PM ET 2 1

The Use of Wastewater Models to Manage Risk Thursday, January 23, 2020 1:00 3:00 PM ET 2 1

1/23/2020 1 The Use of Wastewater Models to Manage Risk Thursday, January 23, 2020 1:00 3:00 PM ET 2 1 1/23/2020 How to Participate Today Audio Modes Listen using Mic & S peakers Or, select Use Telephone

857 views • 53 slides
How to manage effective risk assessments About me Safety Lead at PfP Leisure 27 million

How to manage effective risk assessments About me Safety Lead at PfP Leisure 27 million

How to manage effective risk assessments About me Safety Lead at PfP Leisure 27 million annual visits 8,000 staff Member of the NSPCC/CPSU Leisure Centre Group Ukactive Safety Group Sub editor of the HSEs Managing

378 views • 15 slides
Using Standards to Cost- Effectively Manage Risk Georgia Logistics Summit Atlanta, Georgia May

Using Standards to Cost- Effectively Manage Risk Georgia Logistics Summit Atlanta, Georgia May

Using Standards to Cost- Effectively Manage Risk Georgia Logistics Summit Atlanta, Georgia May 2011 Steve OMalley - ISO Ship & Supply Chain Security Standards Coordinator Motivators* Fear Guilt Government regulation Or,

903 views • 67 slides

More recommend