Agile + DevOps East 2023 - Security
Wednesday, November 8
Addressing Security Risks In LLM-Based Applications
Large Language Models continue to grow in popularity as people experiment, applying them to problems and pushing new code into production applications. Growing along with this popularity is an engineering approach that advocates outsourcing more and more of an application’s functionality to these LLMs. But what seems like an advantage on the surface masks different costs and risks. Ultimately, you may end up with less reliable code that’s harder to troubleshoot and fix, accruing technical debt along the way. There’s also the potential increase in attack surface from integrating LLMs into...
Continuous Security Compliance Realized: Reducing the Regulatory Burden with DevSecOps Automation
Most organizations are subject to the rules of an ever-increasing number of regulations, while dealing with rapidly escalating endpoints and environments to test. No matter the time and resources applied to an external assessment or audit, manual processes cannot keep pace with cloud scale and growing technical complexity of modern environments. This creates distractions for technical teams and contributes to delivery inefficiencies (reduced velocity) while also increasing the risk of “non-compliance” (adverse audit findings). A “continuous compliance” approach, empowered by modern DevOps...
DevSecOps in a Bottle—The Care and Feeding of Pocket Pipelines
PreviewDevSecOps techniques give us the power of receiving rapid feedback and the ability to incorporate new information on an ongoing basis. However, challenges arise when the development pipeline must be established without connection to external networks. There are excellent reasons for doing this, including reducing security risks to systems and proprietary data, but a little more consideration is required to provide our teams on pocket networks the same benefits of an end-to-end DevSecOps pipeline implementation for our container application. We will draw on our practical experience...
Thursday, November 9
Pipelineless Security
It's 2023 and security still needs to earn some respect if they want to slide their Sec between Dev and Ops. Their tooling slows down deployment pipelines, typically finding more false positives than real bugs, usually in code written years ago, and often harming development velocity. To their credit, security teams will occasionally make concessions, like pulling long-running rules out of static analysis engines, but that means that the bugs those tools would otherwise find get caught months later in bug bounties, penetration tests, or security incidents. Bug reports for code you didn't...