Trupti Shiralkar

The power of generative AI has unleashed creativity & augmented human productivity. Have you ever wondered about GenAI's models' adherence to human data security and privacy? Join a team of experts to know privacy related abuses & misuses and how we can reclaim privacy to protect data from the digital robinhoods.

In a world filled with unyielding cyber threats, unstoppable breaches, countless security incidents, and a barrage of other security challenges, the work of our task force is often marked by a reactive and stress-laden journey. Amidst this, one vital element tends to slip through the cracks—the simple act of expressing gratitude to our dedicated team members tirelessly defending our digital realms.

Gratitude, one of the most underestimated but powerful catalysts for growth, is frequently… Show more

In a world filled with unyielding cyber threats, unstoppable breaches, countless security incidents, and a barrage of other security challenges, the work of our task force is often marked by a reactive and stress-laden journey. Amidst this, one vital element tends to slip through the cracks—the simple act of expressing gratitude to our dedicated team members tirelessly defending our digital realms.

Gratitude, one of the most underestimated but powerful catalysts for growth, is frequently overlooked in the face of constant cybersecurity challenges. The keynote aims to shine a light on the importance of acknowledging the collective efforts shaping the foundation of cybersecurity resilience, promoting an environment where gratitude is as essential as the challenges we tackle.

Cybersecurity thrives on collaboration. Success in security programs and individual cyber careers isn’t a solo endeavor. Unfortunately, many professionals take years to realize this, leading to career stagnation or the inability to launch impactful security initiatives. This presentation underscores the crucial need to build a robust community support system through knowledge sharing and expressing gratitude. By understanding that our collective success hinges on supporting one another, we pave the way for sustained growth.

Recognizing the collaborative spirit of cybersecurity, this talk invites you to contemplate the pivotal roles of teamwork, appreciation, and shared knowledge. It advocates for a united front to drive our collective success in this dynamic field. Drawing on the speaker's background, skills, and passion for community engagement, the discussion will explore five meaningful paths for collective growth in cybersecurity. Show less

The speaker will present a Tale of Two AIs. First, we'll delve into the intricacies of Gen AI and then discuss the unique security risks posed by Gen AI, including adversarial attacks, unintended biases, and emergent behaviors. We'll then explore how Gen AI can be utilized to strengthen security defenses by automating vulnerability detection, assisting in threat analysis, and even generating secure code. This talk will equip you with the knowledge to navigate the complex landscape of Gen AI… Show more

The speaker will present a Tale of Two AIs. First, we'll delve into the intricacies of Gen AI and then discuss the unique security risks posed by Gen AI, including adversarial attacks, unintended biases, and emergent behaviors. We'll then explore how Gen AI can be utilized to strengthen security defenses by automating vulnerability detection, assisting in threat analysis, and even generating secure code. This talk will equip you with the knowledge to navigate the complex landscape of Gen AI security by building an adoption friendly responsible AI program at your organization. Join us as we explore the glitches and the guardians, and discover how to leverage the power of Gen AI to secure your applications in the future. Show less

The world seems captivated by the influence of generative AI, as it has undeniably unleashed and augmented human creativity and productivity. This presentation aims to go beyond the buzzwords – AL/ML, LLM/Gen AI – and educate the audience about the real-world security and privacy pitfalls associated with Gen AI, along with strategies to combat them. Can we leverage generative AI to solve security use cases? Let's explore these use cases and discover how to apply them to bring the productivity… Show more

The world seems captivated by the influence of generative AI, as it has undeniably unleashed and augmented human creativity and productivity. This presentation aims to go beyond the buzzwords – AL/ML, LLM/Gen AI – and educate the audience about the real-world security and privacy pitfalls associated with Gen AI, along with strategies to combat them. Can we leverage generative AI to solve security use cases? Let's explore these use cases and discover how to apply them to bring the productivity magic of LLMs to the cybersecurity domain. Show less

In the digital age, overstimulation from constant screen time leads to mental fatigue and stress due to the lack of support systems and focus on mental health. Neglecting self-care routines worsens this imbalance, leaving individuals susceptible to burnout. The presenter is a lifelong meditation practitioner, will share her journey of self-discovery through breathing exercises and meditation. These practices offer serenity amidst chaos, fostering calmness and joy. Establishing a meditation… Show more

In the digital age, overstimulation from constant screen time leads to mental fatigue and stress due to the lack of support systems and focus on mental health. Neglecting self-care routines worsens this imbalance, leaving individuals susceptible to burnout. The presenter is a lifelong meditation practitioner, will share her journey of self-discovery through breathing exercises and meditation. These practices offer serenity amidst chaos, fostering calmness and joy. Establishing a meditation habit sets the stage for holistic well-being, supported by resources like guided meditations and community, empowering individuals to navigate their path to mindfulness with confidence.
The key takeaways are 1. Intro to breathing 2. Intro to various meditation techniques 3. Other mindfulness activities 4. How to make these as part of the routine and take charge of your own wellbeing Show less

Dive into the future landscape of Application Security Posture Management (ASPM), and more specifically, application security risk prioritization with us! In this enlightening webinar Trupti and Patrick will spotlight the groundbreaking role of reachability analysis – a must-have for today's appSec teams.
‍
Cut through the noise of alerts with reachability analysis and master the art of directing your previous resources towards the most critical vulnerabilities.

During this panel discussion, you'll hear stories from industry leaders with diverse backgrounds and careers who'll speak on how they’ve navigated their careers, what they’ve learned so far, their highs and lows, and how to level up your career. Come hear our panelists discuss what it's really like to grow your career in security, what to do if you find yourself stuck, or whatever you want to learn more about. This panel will gather industry leaders to talk about their paths in security… Show more

During this panel discussion, you'll hear stories from industry leaders with diverse backgrounds and careers who'll speak on how they’ve navigated their careers, what they’ve learned so far, their highs and lows, and how to level up your career. Come hear our panelists discuss what it's really like to grow your career in security, what to do if you find yourself stuck, or whatever you want to learn more about. This panel will gather industry leaders to talk about their paths in security. Pulling from different companies, security domains, and career paths, this all women panel will offer a diverse perspective on leveling up your career. Come to hear their stories on success and failures along with what our panelists have learned along the way. The panelists will discuss building your professional brand, growing your career, management v IC paths, secrets to success, and pivots when you are stuck. Bring your questions as we will take audience questions during the panel. Show less

In this presentation I covered few cloud computing and counterintuitive cloud security trend:
~ Increase in security investment does not indicate reduction in incidents
~ Cloud security shared security model
~ Multicould statergy increases flexibility and resiliency but enforcing security is complex and daunting initiative
~ Accurate detection and response, does not necessarily help with faster remediation
~ Zero trust vs Trust On First Use (TOFU)

Finally, the innovation… Show more

In this presentation I covered few cloud computing and counterintuitive cloud security trend:
~ Increase in security investment does not indicate reduction in incidents
~ Cloud security shared security model
~ Multicould statergy increases flexibility and resiliency but enforcing security is complex and daunting initiative
~ Accurate detection and response, does not necessarily help with faster remediation
~ Zero trust vs Trust On First Use (TOFU)

Finally, the innovation in technology indicates new emerging trends but when it comes to security, the same old foundational principles are applicable! Show less

In today's threat landscape, security teams are overwhelmed with the number of alerts generated by their security stack. However, not all alerts are equally critical, and it's essential to prioritize them based on their severity and context impact on the organization. In this panel discussion, our AppSec experts will share their experiences and insights on how to effectively prioritize alerts and reduce alert fatigue. They will discuss best practices for triaging alerts, techniques to automate… Show more

In today's threat landscape, security teams are overwhelmed with the number of alerts generated by their security stack. However, not all alerts are equally critical, and it's essential to prioritize them based on their severity and context impact on the organization. In this panel discussion, our AppSec experts will share their experiences and insights on how to effectively prioritize alerts and reduce alert fatigue. They will discuss best practices for triaging alerts, techniques to automate the process, and strategies to ensure that the most critical alerts receive immediate attention. Join us to learn from the experts on how to effectively manage security alerts and improve your organization's security posture. Show less

Curious minds often inquire, "What led you to choose and stick with the captivating field of cybersecurity?" Well, allow me to unveil my top five reasons that have kept me committed in this ever-evolving field:

🚀 Skilled security professionals are high in demand and low in supply.

Considering the shortage of proficient cybersecurity experts, many organizations are seeking committed security professionals, resulting in an abundance of job opportunities.

📚 Security… Show more

Curious minds often inquire, "What led you to choose and stick with the captivating field of cybersecurity?" Well, allow me to unveil my top five reasons that have kept me committed in this ever-evolving field:

🚀 Skilled security professionals are high in demand and low in supply.

Considering the shortage of proficient cybersecurity experts, many organizations are seeking committed security professionals, resulting in an abundance of job opportunities.

📚 Security professionals enjoy continuous learning of cutting-edge tech.

Modern technologies such as IoT, cloud, artificial intelligence/ machine learning etc. are evolving at rapid speed and cyber security professionals enjoy building state-of-the-art security solutions to stay one step ahead of cyber criminals.

🔱 The work of safeguarding assets from attackers holds deep meaning for security professionals.

Cybersecurity offers a sense of purpose and the opportunity to make a real impact every single day. Securing critical systems, services and sensitive data is more than a job; it's a meaningful mission.

🌎 Cybersecurity presents ample of avenues for global collaboration.

This profession offers an excellent opportunity to engage with like-minded individuals, collaborate on projects, and learn from industry experts. There are more than 300+ security conferences where we can share ideas, address cyber security challenges and grow together.

🔭 Cybersecurity fosters innovation

This one is my personal favorite 😀 Creating scalable security solutions and services while matching the speed of engineering and keeping the cost low requires out of box thinking and innovation.

So, jump into the exciting world of cybersecurity, where demand meets innovation, meaningful work drives you forward, collaboration fuels growth, and your expertise makes a difference. Embrace the thrill and be a part of this dynamic field now! Step into the world of cybersecurity and experience the thrill like never before! Show less

Rapid development cycles and time constraints, diverse skill sets required to evaluate applications built with complex new technologies, evolving threat landscape are some of the reasons that make application security engineer’s job interesting and difficult at the same time. As a result appsec engineers have to develop fast learning mechanisms and based on their strengths and interest, pick the right career paths to not just survive but thrive in the world of application security. In this… Show more

Rapid development cycles and time constraints, diverse skill sets required to evaluate applications built with complex new technologies, evolving threat landscape are some of the reasons that make application security engineer’s job interesting and difficult at the same time. As a result appsec engineers have to develop fast learning mechanisms and based on their strengths and interest, pick the right career paths to not just survive but thrive in the world of application security. In this talk, we will discuss how to analyze one’s strengths and interests and choose the right application security career path and continue to prosper throughout your career. Show less

Whether it's the great resignation or layoffs due to macroeconomic slowdown, the average tenure of a security professional has reduced to approximately 18 months. Successful cyber security professionals always seek a meaningful career and environment to support it. However, some of the top reasons why cyber security professionals leave their jobs are mainly skill gaps and reactive nature of most security jobs and as a result increasing high stress levels and burnouts. In this talk, we will… Show more

Whether it's the great resignation or layoffs due to macroeconomic slowdown, the average tenure of a security professional has reduced to approximately 18 months. Successful cyber security professionals always seek a meaningful career and environment to support it. However, some of the top reasons why cyber security professionals leave their jobs are mainly skill gaps and reactive nature of most security jobs and as a result increasing high stress levels and burnouts. In this talk, we will present the popular Japanese concept “Flow of IKIGAI” that can be used to assist security professionals to embark on a purposeful career growth journey.
Join us to learn how to discover your passion, build the necessary technical domain specific skills and soft skills to make your career profile indispensable. Understand the role networking and giving back to the community plays in creating a top-notch security career. Leadership will learn how to hire the best talent and build high performing security teams. The talk will also cover what it takes to create a thriving environment for security team members so that leadership never has to worry about the great resignations. Show less

Today’s tech industry is rapidly evolving and demands an increased pace of innovation to uncover newer security and privacy attack surfaces. During these uncertain economic times, Security teams have been challenged to do more with limited resources. And therefore, automating repeated tasks involved in red team and blue operations is essential to drive operational excellence. As we enter the new era where Artificial Intelligence powered Chatbot which can be used for adversarial simulations… Show more

Today’s tech industry is rapidly evolving and demands an increased pace of innovation to uncover newer security and privacy attack surfaces. During these uncertain economic times, Security teams have been challenged to do more with limited resources. And therefore, automating repeated tasks involved in red team and blue operations is essential to drive operational excellence. As we enter the new era where Artificial Intelligence powered Chatbot which can be used for adversarial simulations, let’s understand its impact on red teaming and blue teaming automation. We’ll hear from security engineering leaders about the blue team tooling and processes they’ve adapted or created to keep the modern, distributed enterprise applications and system secure. We’ll also discuss what red teaming automation organizations can do to keep ahead of advanced threats. There’s tremendous value in optimizing red teams attack and blue teams defend tactics using automation - attend this talk to hear 3 experts explain why. Show less

It’s been said that the only constant is change. And it’s no secret that the tech industry has seen many changes and challenges in the last few years. As we enter 2023, how will this industry continue to shift, and what impact will tech continue to have?I’m excited to be joining members of Datadog’s Leadership team for a virtual to discuss the ever-shifting landscape of tech and how Datadog is maneuvering through this new era.

According to a survey conducted by ISC2, women only make up 24% of cybersecurity professionals. While this is a promising growth compared to 2017, where we had only 11% representation of women security professionals, we still experience a dearth of women leaders in the executive roles.
Empowering women security professionals at all career levels with the right coaching and mentoring is the first step toward the bigger goal. I want to encourage all women security professionals in my network… Show more

According to a survey conducted by ISC2, women only make up 24% of cybersecurity professionals. While this is a promising growth compared to 2017, where we had only 11% representation of women security professionals, we still experience a dearth of women leaders in the executive roles.
Empowering women security professionals at all career levels with the right coaching and mentoring is the first step toward the bigger goal. I want to encourage all women security professionals in my network to consider stepping up in their career journey and help shape up cyber security to be a more diverse and inclusive field! Show less

As businesses have modernized and migrated their tech stacks from on-prem to the cloud and broken down monoliths into microservices, security teams have had to evolve. This evolution has led to new tools and new practices to avoid incidents. We’ll chat with security engineering leaders about the processes they’ve adapted or created to keep modern, distributed systems safe. We’ll also discuss what organizations can do to keep ahead of threats as our systems keep advancing.

In the military world, Attack (Red) & Defend (Blue) Teams conduct internal “war games” to assess preparedness and resiliency. In the cybersecurity world, they work the same way; however, the joining of forces has produced a new color - purple.


Typically, these colors existing in the domain of the InfoSec team. But what about teams that build and/or operate IT systems? They tend to be color blind — neither Red nor Blue nor Purple. There’s tremendous value in teaching build and… Show more

In the military world, Attack (Red) & Defend (Blue) Teams conduct internal “war games” to assess preparedness and resiliency. In the cybersecurity world, they work the same way; however, the joining of forces has produced a new color - purple.


Typically, these colors existing in the domain of the InfoSec team. But what about teams that build and/or operate IT systems? They tend to be color blind — neither Red nor Blue nor Purple. There’s tremendous value in teaching build and operate teams attack and defend tactics - attend this talk hear 3 experts explain why. Show less

In this presentation, we demonstrate a proof of concept illustrating how the accuracy and efficacy of the software bills of material generated from source code, build-time and run-time can assist an organization to systematically reduce the open source software security risk. First we walk you through the existing open source tools that we examined for SBOM generation, enumerate the challenges we faced employing them to generate SBOM. Then, we outline the use cases of SBOM. This includes how… Show more

In this presentation, we demonstrate a proof of concept illustrating how the accuracy and efficacy of the software bills of material generated from source code, build-time and run-time can assist an organization to systematically reduce the open source software security risk. First we walk you through the existing open source tools that we examined for SBOM generation, enumerate the challenges we faced employing them to generate SBOM. Then, we outline the use cases of SBOM. This includes how security teams can take initiatives based on the information extracted from SBOM to run a company-wide program for software life cycle management. We use a purple teaming approach to prioritize vulnerabilities based on information obtained from SBOM. This talk is an enabler for everyone who wants to improve their overall open source software security at scale. Show less

Today’s modern software services are built on top of open source libraries, and this makes consumers susceptible to the open source vulnerabilities. This includes risks due to known CVEs and malicious source codes, operational risk due to dead dependencies and out of date software and legal risks due to licensing discrepancies.
Software Bill of Material (SBOM), as a concept, offers an inventory of details of all components that constitute software services. SBOM is the first step to manage… Show more

Today’s modern software services are built on top of open source libraries, and this makes consumers susceptible to the open source vulnerabilities. This includes risks due to known CVEs and malicious source codes, operational risk due to dead dependencies and out of date software and legal risks due to licensing discrepancies.
Software Bill of Material (SBOM), as a concept, offers an inventory of details of all components that constitute software services. SBOM is the first step to manage vulnerabilities of 3rd party dependencies.
The challenge is that producing accurate SBOM (low false positive and false negative) is not easy, and using noisy SBOMs can be misleading and quite wasteful! In this talk, we walk you through the existing tooling landscape for SBOM generation, enumerate the challenges we faced employing them to generate them form our source codes, and share critical advice on how to generate the “correct” SBOM. We will also enumerate the open SBOM challenges we have identified for the security community to address. Show less

As organizations mature, choosing the right software stack becomes necessary to sustain growth and drive operational excellence. This blog provides insight into the vendor selection process, covering vital lessons to get you started with third-party vendor life cycle management. Considering the challenges in the procurement process for a growing organization, I provide an actionable framework using Expent, an AI-driven vendor lifecycle management solution.

This article covers why I love public speaking and how it played crucial role in my personal and professional growth.

This article narrates my experience attending the women of silicon valley conference last week as a speaker and as a participant. The conference did an excellent job of offering an open platform to women in tech to connect, empower and inspire each other. This year’s central theme was celebrating the power of resilience in various areas specially tech, business and career. There were many great talks and workshops including keynote speeches and panel discussions and here are my top 3 talks.

Threat modeling offers a systematic approach to analyze and evaluate the design and architecture of an application to determine threats, security controls and risks in an early stages of software lifecycle development. In this interactive session, the attendees can expect to learn to perform threat modeling to design secure and resilient software. They will participate in two group activities to threat model a modern application using a mix of asset and attack-based threat modeling… Show more

Threat modeling offers a systematic approach to analyze and evaluate the design and architecture of an application to determine threats, security controls and risks in an early stages of software lifecycle development. In this interactive session, the attendees can expect to learn to perform threat modeling to design secure and resilient software. They will participate in two group activities to threat model a modern application using a mix of asset and attack-based threat modeling methodology. As part of group exercises, participants will use threat modeling templates to build attack trees and will come up with security controls to mitigate them. Show less

In this talk, I will cover the challenges associated with traditional appsec practices and how they create friction from the modern software development practices. Then I will cover how guidance based approaches can strengthen the secure life cycle development and promote innovation at faster speed.

The presentation covers a brief analysis of microservices architecture and design patterns (such as circuit breaker, service mesh, API gateway and more) in order to analyze how certain aspects of security are achievable at scale through these patterns.

The target audience for this talk is security engineers, security architects, software development engineers and managers, and anyone who is involved in designing and deploying the end to end applications based on microservices oriented… Show more

The presentation covers a brief analysis of microservices architecture and design patterns (such as circuit breaker, service mesh, API gateway and more) in order to analyze how certain aspects of security are achievable at scale through these patterns.

The target audience for this talk is security engineers, security architects, software development engineers and managers, and anyone who is involved in designing and deploying the end to end applications based on microservices oriented architecture.

The attendees will walk away with a general understanding of security issues related to serverless applications and a framework to mitigate residual risk challenges through secure design patterns. Show less

This is an interactive and practical conversation about a much-misunderstood component of your privacy and security posture--data inventory.

Jumping from obscurity to common jargon in a few short years, the term “data inventory” can prompt a range of feelings, from dismissiveness, to resignation, to fear. Unpacking data inventory--understanding its range of meanings and the important roles it can play in the business--will strengthen your knowledge of your own organization and its… Show more

This is an interactive and practical conversation about a much-misunderstood component of your privacy and security posture--data inventory.

Jumping from obscurity to common jargon in a few short years, the term “data inventory” can prompt a range of feelings, from dismissiveness, to resignation, to fear. Unpacking data inventory--understanding its range of meanings and the important roles it can play in the business--will strengthen your knowledge of your own organization and its relationships with the people whose data you handle.

The session includes presentation of concepts and definitions along with a demonstration. We will also share anecdotes and lessons learned. Show less

Organizations are increasingly relying on microservices to modernize and scale in today’s distributed tech ecosystem. Microservices facilitate continuous delivery and deployment by offering loose coupling through modularity, fault isolation, and resiliency. However, the resulting distributed systems are often complex, with large attack surfaces, making traditional security assessments difficult. To maintain consistent security levels, teams need to standardize practices and recalibrate… Show more

Organizations are increasingly relying on microservices to modernize and scale in today’s distributed tech ecosystem. Microservices facilitate continuous delivery and deployment by offering loose coupling through modularity, fault isolation, and resiliency. However, the resulting distributed systems are often complex, with large attack surfaces, making traditional security assessments difficult. To maintain consistent security levels, teams need to standardize practices and recalibrate assessment techniques. Come learn how industry experts from product security, engineering, and product management integrate risk-based approaches to their software pipeline to release software more confidently. Topics include: - Security as a Service: Arming teams with pre-secured libraries, assessment templates, security guidance, and hardened frameworks - Rapid Risk Assessments: Evolving beyond monolithic SAST/DAST scans towards rapid component analysis - Modern Vulnerability Management: Optimizing classification systems based on component criticality, business impact potential, and mitigating controls Show less

Historical approaches to IT security have been driven by primary colors – red teams attack, blue teams defend. This leaves technical teams color blind as to how hackers exploit the very software they are tasked with building and protecting. Purple Teaming is a collaborative approach organizations use to improve their security posture during the attack exercise to capture immediate value and foster a real-world defensive approach. This strengthens a team’s understanding of abuse cases so they… Show more

Historical approaches to IT security have been driven by primary colors – red teams attack, blue teams defend. This leaves technical teams color blind as to how hackers exploit the very software they are tasked with building and protecting. Purple Teaming is a collaborative approach organizations use to improve their security posture during the attack exercise to capture immediate value and foster a real-world defensive approach. This strengthens a team’s understanding of abuse cases so they can employ effective controls from requirements through deployment. Attend this talk to learn how to embed an exploit mentality into technical teams, which results in a reduced attack surface, fewer security vulnerabilities, and accelerated feature release. Show less

The presentation covers cover the challenges associated with traditional appsec practices and how they create friction from the modern software development practices. Then I will cover how guidance based approaches can strengthen the secure life cycle development and promote innovation at faster speed.

In the military world, Attack (Red) & Defend (Blue) Teams conduct internal “war games” to assess preparedness and resiliency. In the cybersecurity world, they work the same way;
however, the joining of forces has produced a new color -purple. Typically, these colors exist in the domain of the InfoSec team. But what about teams that build and/or operate IT systems?
They tend to be color blind — neither Red nor Blue nor Purple. There’s tremendous value in teaching build and operate… Show more

In the military world, Attack (Red) & Defend (Blue) Teams conduct internal “war games” to assess preparedness and resiliency. In the cybersecurity world, they work the same way;
however, the joining of forces has produced a new color -purple. Typically, these colors exist in the domain of the InfoSec team. But what about teams that build and/or operate IT systems?
They tend to be color blind — neither Red nor Blue nor Purple. There’s tremendous value in teaching build and operate teams attack and defend tactics - attend this talk to hear 3 experts explain why. Show less

About 10 to 12 years ago, the world of software experienced a shift in the architectural aspects of enterprise applications. Architects and software builders started moving away from the giant, tightly coupled, monolithic applications deployed in the private data centers to a more microservices-oriented architecture hosted in public cloud infrastructure. The inherent distributed nature of microservices is a new security challenge in the public cloud. Over the last decade, despite the growing… Show more

About 10 to 12 years ago, the world of software experienced a shift in the architectural aspects of enterprise applications. Architects and software builders started moving away from the giant, tightly coupled, monolithic applications deployed in the private data centers to a more microservices-oriented architecture hosted in public cloud infrastructure. The inherent distributed nature of microservices is a new security challenge in the public cloud. Over the last decade, despite the growing adoption of microservices-oriented architecture for building scalable, autonomous, and robust enterprise applications, organizations often struggle to protect against this new attack surface in the cloud compared to the traditional data centers. It includes concerns around multitenancy and lack of visibility and control over the infrastructure, as well as the operational environment. This architectural shift makes meeting security goals harder, especially with the paramount emphasis placed on faster container-based deployments.

The purpose of this article is to understand what microsegmentation is and how it can empower software architects, DevOps engineers, and IT security architects to build secure and resilient microservices. Specifically, I’ll discuss the network security challenges associated with the popular container orchestration mechanism Kubernetes, and I will illustrate the value of microsegmentation to prevent lateral movement when a breach takes place. Show less

Serverless applications are the latest trend that is disrupting the world of microservices. Microservices enables developers to move faster with continuous delivery and deployment of large, enterprise applications. They offer loose coupling through modularity, scalability and fault isolation and resiliency from a security perspective. However, the resulting distributed systems are often complex with a large attack surface, making traditional security assessments difficult. Tasks such as… Show more

Serverless applications are the latest trend that is disrupting the world of microservices. Microservices enables developers to move faster with continuous delivery and deployment of large, enterprise applications. They offer loose coupling through modularity, scalability and fault isolation and resiliency from a security perspective. However, the resulting distributed systems are often complex with a large attack surface, making traditional security assessments difficult. Tasks such as security design review, threat modeling, security code reviews and especially security testing becomes challenging due to the overall scope of feature deployment spanned across multiple services and domains and the speed at which these are deployed. Therefore, if security is not baked into the design and architecture, the applications are suspectable to a variety of security attacks.
The main purpose of this presentation is to discuss the common security pitfalls associated with serverless application variable such as “Backend-as-a-Service” (BaaS) or “Functions-as-a-service” (FaaS). The talk will also cover an in-depth analysis of microservices architecture and design patterns (such as saga, DDD aggregate, asynchronous messaging, API gateway and more) in order to analyze how certain aspects of security is achievable at scale through these patterns.
The target audience for this talk is security engineers, security architects, software development engineers and managers, and anyone who is involved in designing and deploying the end to end applications based on microservices oriented architecture. The attendees will walk away with a general understanding of security issues related to serverless applications and a framework to mitigate residual risk challenges through secure design patterns. Show less

Kubernetes brings great capability to High Performance Computing (HPC), but also introduces new attack surface to traditional HPC clusters. In the KubeCon+CloudNativeCon Europe 2020 panel, “Security is Not a Unicorn,” we discuss the unique technical and cultural challenges that arise when the High Performance Computing community adopts Kubernetes.

In this hyper-connected and data-driven world, information can be highly valuable. User data can be collected and analyzed using machine learning techniques to create a superior customer experience. There is tension between the benefits of digital freedom and privacy. Striking a careful and unique balance between privacy and security of user data can be challenging. In this asymmetric battle, are there techniques that help to protect the privacy of user data while benefiting from the results of… Show more

In this hyper-connected and data-driven world, information can be highly valuable. User data can be collected and analyzed using machine learning techniques to create a superior customer experience. There is tension between the benefits of digital freedom and privacy. Striking a careful and unique balance between privacy and security of user data can be challenging. In this asymmetric battle, are there techniques that help to protect the privacy of user data while benefiting from the results of collected data analysis? The answer is Yes. Homomorphic encryption may be an effective mechanism to protect both privacy and confidentiality of the data at the same time by enabling computation on encrypted data.

The concept of homomorphic encryption has been around in theory since the RSA algorithm was published in 1978. Recent research shows promising applications of this mathematical invention. The presentation provides an overview of homomorphic encryption and how it can be used to perform computations while helping to preserve privacy. The speaker will also discuss a few use-cases of differential privacy, homomorphic encryption and security implications associated with them.

The target audience for this talk is security engineers, privacy advocates, software development engineers and managers, technical program managers and anyone who is involved in protecting privacy. The attendees will walk away with a general understanding of this topic and its usage and a framework to mitigate challenges. Show less

Software services are built on top of service frameworks such as .net, Java web services, Apache axis etc. These frameworks consist of a set of libraries and other components like support program, compilers, tool sets etc. Applications interact with libraries through well-defined API calls either during the build (static) or at run-time (dynamic). Generally speaking, Application Security programs implement an application-centric review process. They do not cover the criteria to do security… Show more

Software services are built on top of service frameworks such as .net, Java web services, Apache axis etc. These frameworks consist of a set of libraries and other components like support program, compilers, tool sets etc. Applications interact with libraries through well-defined API calls either during the build (static) or at run-time (dynamic). Generally speaking, Application Security programs implement an application-centric review process. They do not cover the criteria to do security evaluations of libraries. The attack surface, threats and data flow for a library are different from an application. This talk discusses the primary difference between applications and libraries and provides a mechanism for evaluating libraries. Specifically, it covers how to scope the assessment of a library and special considerations during architecture review and threat modeling phases. Validation of the secure and correct implementation of the security controls offered by the library is the main goal of the evaluation. By evaluating libraries, we make sure that all the fundamental building blocks of the development framework are secure. By offering guidance on secure-by-default configurations to developers we can strengthen the secure software development process.
The target audience for this talk is security engineers, software development engineers, software development managers, technical program managers and anyone who uses libraries as part of the software development process. The attendees will walk away with a methodology on how to review libraries and how to scale the secure usage of libraries using secure-by-default implementation. Show less

Lately, monolithic applications have been replaced by more complex and evolving micro-service oriented architecture. Moreover, with the rise of CI/CD, DevOps, and agile SDLC, the need for building security as a core line of business has become an indispensable requirement. Within this framework, the traditional security evaluation approach, or the new secure DevOps approach implemented using small security teams (blue team, red team, DevOps security team, etc.) present both limitations and… Show more

Lately, monolithic applications have been replaced by more complex and evolving micro-service oriented architecture. Moreover, with the rise of CI/CD, DevOps, and agile SDLC, the need for building security as a core line of business has become an indispensable requirement. Within this framework, the traditional security evaluation approach, or the new secure DevOps approach implemented using small security teams (blue team, red team, DevOps security team, etc.) present both limitations and advantages. Specifically, the checkpoint approach slows down deployments, and not all types of security assessments can be automated in CI/CD. In this presentation, I suggest that a purple team strategy is the best way to weave security across business units in an organization. Purple teams are security teams that consolidate the defensive security controls prominently learnt from blue teams with the vulnerabilities and exploitation techniques utilized by red teams, into a single score. A purple team approach can break artificial boundaries and transform security from a checkpoint to a semi-mystical function. Successful collaboration between purple team members and developers/devOps engineers will bridge the operational gap between implementation and verification of defensive controls, while using exploitation techniques will reduce the issue identification and remediation time significantly. Adopting a purple team approach can also break the negative stereotype associated with security professionals and security testing. In this talk, the audience will learn the traits and methodology of purple teams and how they are used to influence security among various groups, while augmenting the effectiveness and influence of application security programs.
Show less

This publication explains the need and approach to formally evaluate Java Virtual Machine's Security using Common Criteria.

The aim of this paper is to analyze one of the leading sub-notebooks, the ‘ASUS Eee PC’ from a forensics perspective. Specifically, the work investigates current image creation methods for making image of Eee PCs Solid State Drive and it analyzes forensically important artifacts.

The aim of this paper is to analyze one of the popular net-book of 2008, the ‘Acer Aspire One (AOA)’ from a forensics perspective. The work is specific to AOA having Solid State Drive (SSD), Creating forensically sound image of the SSD and analyses of the important data stored in default applications.

The presentation covers an analysis of microservices architecture and design patterns (such as API gateway, Log aggregation and more) in order to analyze how certain aspects of security is achievable at scale through these patterns.