SIGS Special Interest Group
5th DevSecOps Forum
Click on the .ics file to save the date
||Professionals which are interested in the topic DevSecOps
From Consultancies and Resellers/ Integrators are only technical peoples (which are involved in this topic in their daily job) allowed to take part – max. one participant per company. Vendors and people with a Sales/Marketing role are not authorized as participants.
||Earn 4 CPE (Continuing Professional Education) for attending this SIGS forum. Please request a confirmation.
|Date of Event
||3rd December 2019
Further planned dates for 2020: 24th March, 23rd June and 12th November
Organization, presentations, beverages and apéro riche included
|1:00 – 1:30 pm
||Registration & Coffee
|1:30 – 2:15 pm
||Andreas Meister, Head Software Engineering/IT Security Architect at SBB AG
The SBB goes DevSecOps
The SBB has already taken a big step towards DevOps. But on the security side, there is still potential. We want to exploit this potential with the well-established engineering principles combined with standardization and the possibilities offered by the new way of building and running applications. This with the goal that security becomes an integral part of our software development cycle.
In this speech, you will hear how we promote change and how we are converting security from a blocking event to a continuous affair. You can learn how we automate and integrate security into our build pipeline. In our transformation, we take advantage of cloud technology, microservices, containers, and GitOps.
|2:15 – 2:45 pm
||Marcus Holthaus, Information and IT Security Architect at Suva
Dr. Marcus Holthaus architects and organizes Information Security as an Architect at Suva, the Swiss National Accident Insurance Fund for the second sector of the Swiss economy. Before that, he was employed as an Information Security Architect in an international organization where he created cloud-based security architectures, and before that he was involved in or led about 50 projects as a self-employed consultant with staff specializing in information security innovation and organization for more than 15 years.
He also ran a small Internet provider, did some lobbying e.g. for electronic identities and continues to engage in information society matters and independent consulting activities. He lives near Zug, is married and has a son.
Security in SAFe, Suva-style
The adaption of SAFe, the Scaled Agile Framework, marks a massive change in development and operational organization not only for waterfall-experienced organisations such as Suva in general, but also because it agilitates the organization at middle and top levels. This requires a cultural change and an agile mindset bottom-up and top-down. Regarding information security, it places much more responsibility in the hands of the individual teams, and not all of them may be up to that from the beginning, when there is no security, compliance and quality gatekeeper anymore to share the burden of high expectations.
Suva has been in SAFe mode since January 2019. Now that the the dust settles, it becomes clearer how information security needs to be involved in this playground. As a state-mandated company, Suva is strongly regulated. As security is not heavily defined in SAFe 4.6, there is room to innovate, while it is still possible to strongly adhere to pure SAFe in all other matters. As Suva is independently organized and physically concentrated in one location (Lucerne), implementation can proceed efficiently. The talk gives an insight into prepared decisions, first experiences and plans with security in SAFe, Suva-style.
|2:45 – 3:30 pm
||Andreas Lambrecht, Solution Architect at Aqua Security
Why Cloud Native Security is different and how you can master these challenges
Containers require a new approach to security as the traditional security infrastructure is not applicable to cloud native and serverless deployments. Rather they must leverage the cloud-native principles of immutability, microservices and portability using machine-learned behavioral whitelisting, integrity controls and nano-segmentation.
|3:30 – 4:15 pm
|4:15 – 6:00 pm
||Workshop by Sven Vetsch
by Sven Vetsch, Head of Security Research at Redguard
As Head of Security Research at Redguard, Sven is responsible for keeping the company’s attack and defense capabilities state-of-the-art and for identifying and integrating new developments. Sven is leader of the OWASP Local Chapter in Switzerland and a founding member of DEFCON Switzerland.
Docker Container Hardening Workshop
Everyone is running containers nowadays. If you have a proper CI/CD pipeline setup, you might even check for outdated packages in your images and some more things one could be considered a security problem. But wait, back in the days when we had complete (virtual) machines, was it enough to just update our system packages to keep everything secure? No, of course not. We hardened our systems and sometimes this task was nearly impossible if you had to still maintain the basic functionality of a server or application. Now when using containers, most of the hardening we see is just to not run processes as root (mainly because OpenShift won’t let us do so by default).
In this workshop I’ll introduce you to the dark arts of actual Docker container hardening. We’ll learn why containers finally allow us to implement real hardening measures and experience what is possible. After the workshop all of the attendees will leave with a good understanding of things like resource limitations, read-only root filesystems, capabilities, seccomp rules and overall attack surface limitation measures.
The workshop can be attended by up to 20 people (or even less depending on the room). A basic understanding of Docker and containers will be required prior to attending this workshop. Every attendee that wants to follow the workshop’s hands-on part will have to bring a machine with Docker installed that can run Linux containers (Docker for Mac/Windows will be fine).
|6:00 – open end
||Apéro Riche and Networking (therefore reserve as well the evening!)
The speakers will be onsite for Q&A.
The Sponsorsof this event are:
This is a ‘must attend’ event for all security professionals! We are confident that the relationships you develop here will prove to be crucial to your continuing success.
With the registration for this event you accept, that SIGS may use the data entered for its own purposes and may share it for use with its event partners and event sponsors of this platform. In addition, we share the contacts as well with the community itself.