AppSec and DevOps - What Should Teams Be Focusing On

AppSec California 2015 is just around the corner. I’ve looked at the agenda to get a sense of where attendees will spend their time. Overall, I suspect the top areas of interest will revolve around:

  • OWASP Top 10: SQL Injections, XSS, Chrome, Java, and other web/mobile app vulnerabilities, safeguards, and controls
  • Mobile Devices and Apps: iOS, Android, medical devices, geolocation, mobile SSL, Internet of things, MDM, and more
  • Collection of Best Practices: Development models, cryptography, threat modeling, ROI, policy management, GRC, and incident response

Here are my picks for the “must-see” sessions based on role:

  • Application Developers | Iron-Clad Development : Building Secure Applications (Training)
  • Application Testers and Quality Assurance | Why Your AppSec Experts Are Killing You (Session)
  • Application Project Management and Staff | Scaling Security in Agile Scrum (Session)
  • CIOs, CISOs, and CTOs | Building a Modern Security Engineering Organization (Session)
  • Security Managers and Staff | Enterprise Incident Response (Training)
  • CFOs, IT Risk and Compliance Staff and Auditors | Proactively defending your business against security protocol attacks and implementation flaws (Session)
  • Governance Executives, Managers, and Staff | Misconceptions in the Cloud (Session)
  • IT Professionals Interested in Improving IT Security | OWASP Top Ten Proactive Controls (Session)

I’m curious to know what sessions and trainings would be most interesting and valuable for you and your team. Is the security industry investing in the right topics? What's missing? Does anyone else find it troubling that we continue to discuss SQL injections and XSS as part of the OWASP top 10?

Brazilian University Embraces Wireless, BYOD, and IPv6

As part of theCube’s continued coverage of the HP Discover conference in Las Vegas today, Wikibon founder Dave Vellante met with two practitioners from HP customer, Sao Paulo State University in Brazil whose network supports about 60,000 users; among these users are roughly 45,000 students and 10,000 faculty members. Each faculty member has their own VoIP device connected to the network, equaling 10,000 managed VoIP endpoints. The campus, and therefore its network, is connected across 23 cities, supported by five regional nodes, with the main node located in the capital of the state. The network consists of two rings and a total of 40 WAN nodes.

The team manages over 300 physical servers, 60 percent of which are virtualized using VMware; a project that the university began in 2008.

The video provides some great insight into how an institution can embrace new technologies and the necessary change that comes with being innovative. Read the article and Watch the video.

Big Data and the Cloud – Take the Lead or Be Disrupted

Intel is a company driven by Moore’s law and possessing a culture that eats, drinks, and breathes innovation; they are always looking ahead, continuously moving forward, and constantly pushing itself to the next level. This doesn’t happen by accident – it is driven by the mission of a company organized and managed by leaders who embrace the mission and strive to uphold it. Big Data was a key element of Kim Stevenson's keynote earlier in the day, and she provided Furrier with her own definition of the term: “Big Data is all information created (machine-generated and human generated) – all of this information fits into the Big Data envelope.” Stevenson, Vice President Information Technology Group CIO at Intel, added that “the important parts of Big Data are the pieces we have failed to contextualize in a systematic way up until now.”

Among other things, Stevenson shared two recent scenarios in which Intel’s bleeding-edge innovation is evident: both of which were rooted in the Cloud.

1) The first use case provided was that of an in-house virtualized office/enterprise application store for Intel employees in which Intel moved its office and enterprise application-provisioning services to an environment that is 75 percent virtualized and in the Cloud. “This allows us to provision our services in under an hour for all of our employees,” said Stevenson.

2) The second use case covered Intel’s product development and design engineer operations. Intel deployed a massive cloud-based compute infrastructure comprised of 50,000 servers hung together in a grid (aka a “clustered cloud”). “This implementation dramatically improves the throughput time for every engineering job that happens at Intel,” said Stevenson.

The video delivers an amazing exchange between the hosts and the speaker - it is well worth watching. Read the article and watch the video to experience the conversation for yourself.