Best practices for securing CI/CD pipeline by Victoria Almazova + lightning talk

Best practices for securing CI/CD pipeline - Victoria Almazova

DevOps practices are in a place; containers are everywhere, pipelines are flying. We do Agile. We do DevOps. Now we try to follow security practices for protecting the deployed resources, too. This is a reason why DevSecOps is not hype anymore and is gaining more prominence. There is a lot of information about DevSecOps, but how to do it properly? Where to start? What are the best practices?
In this session, we will walk through an end-to-end scenario where we will deploy infrastructure components securely to Azure using Azure DevOps, Azure Container Registry and security tools. We will build a pipeline with security in mind to protect and detect potential security flows during the build.

You will learn:

• How to build end-to-end CI/CD pipeline that builds the application and deploys infrastructure on Azure with security checks for the application, containers and infrastructure;
• What are the security tools available for CI/CD pipeline and how to implement them in the best way into different Git workflows;
• Best practices and patterns of building security pipelines.

Security girl in Microsoft with experience more than 13 years in security. She spends all her time working closely with developers and architects to make security built in from design level. She is a big supporter of making security as culture and shifting security to the left thru DevOps. Victoria believes that empowering developers and architects in security tasks by helping with education will increase security level without increasing additional workload.

During her free time, she deep dives into Cloud security, development, identity and access management. And of course, she doesn't forget about running, hiking and motorcycles, which are the biggest passion after security.

Crypto for Pentesters - Tor Erling Bjørstad
“A cryptosystem should be secure even if everything about the system, except the key, is public knowledge” (Auguste Kerckhoffs, 1883)
Modern crypto is actually pretty good. Nobody is going to break RSA or AES by accident on a pentest assignment. Modern crypto is also surprisingly subtle. Even if it says AES on the box, the devil is in the implementation details.
In this talk, we’ll look at a few common crypto fails, and discuss their exploitability in a practical setting. The goal is to help the audience recognize and avoid common problems that are common in the field.

Tor leads the application security practice at mnemonic. He has been working full-time in software security and cryptography since 2006, at times playing the role of a security champion and defender, at other times as the attacker hunting for ways to break in. Tor holds a Ph.d. in cryptography from the University of Bergen.

The presentations will be held in English.

Pizza and soda will be served at the meetup, sponsored by Microsoft.

A big thanks to mnemonic (https://www.mnemonic.no/) for supporting the OWASP Norway Day 2018 as a platinum sponsor.