They Are Going To Get In...Plan For That

In a perfect world, all the firewalls, network security tools, and advanced agent-based DevSecOps platforms would all be 100% effective, and no attacker would ever get through. Even if all those layers keep the most 1337 haxxor at bay, the fact remains that 88% of all malware gets installed by someone clicking a link in a phishing email; things are going to get through. While it can be easy to play the blame game and try to get even more budget to harden our perimeters, the truth is we are now in a different era of cybersecurity. It is time to admit it is not a matter of 'if' they get in; it is a matter of 'when.'

This shift means changing our mindset from guarding the doors and windows to launching decoys, upping our intrusion detection reaction times, better educating the whole company about ever-evolving risks, and making sure we consistently know what to do when breaches happen.

This session will cover some of the recent breaches, taking a look at the standard operating procedures most attackers follow. We will then look at how to use off-the-shelf tools to better defend our true holy grails and react so fast and with such efficiency that we will win round after round as we make our attacker's job very difficult.

Who Goes There? Actively Detecting Intruders With Honeytokens

Ever wish you could set traps for intruders in your environment? While you can't rig explosions or rolling boulders when someone attacks your servers, you can set up false credentials that trigger alarms you can act against. That is the whole idea behind honeytokens! This talk is a practical primer for teams to be able to leverage honeytokens.

Stop Committing Your Secrets - GIt Hooks To The Rescue!

No one wants their keys and secrets on GitHub, but one bad push can mean you are suddenly exposed. In the best-case scenario, you discover the issue and fix it before something bad happens, but in the worse case, you don’t find out until it is far too late.

Most devs are familiar with using .gitignore files to prevent Git from tracking specific files and folders, but did you know that you can leverage Git hooks and some open source awesomeness to keep you from accidentally committing your secrets in the first place?

If you are not actively using Git hooks in your workflows, then this talk is for you. Let's look into the .git folder and unlock a whole world of automation possibilities!

So My Credentials Have Been Leaked...Now What?

While we can hope our passwords, API Keys, and certificates are secure and private, hope is not a strategy. Sometimes our credentials become published in a log, source code, or some other source a malicious actor can access. In the best-case scenario, you find out immediately and can work to fix the issue without impacting any other systems or teams. In the more likely worst-case scenario, you have to go through some painful conversations and take significant time away from pushing customer delighting code to deal with a pretty scary circumstance.

What makes credential leakage such a terrifying topic is, at least in part, the paralysis of not knowing what to do, or where to start the conversation. In mature organizations, security teams might have protocols and email addresses in place to escalate these situations. In many organizations, you might be starting from scratch.

This session will look at how to deal with credential leaks from detection through closing the final related ticket the incident generated. We will look at topics such as validation of secrets, scoping impact, assembling the right players, to how to offload tribal knowledge with tools like notebooks and playbooks. We will also take a look at how to prevent future leaks with some open source tools and non-intrusive workflow adjustments.

Security Does Not Need To Be Fun: Ignoring OWASP To Have A Terrible Time

When you think about application security, I bet you think of fun times with friends and relaxing weekends at home. Like any other elite DevOps professional, you spend your time figuring out complex business problems and delighting customers with new functionality, not digging through incident reports and mitigating security issues. You learned early on that relying on the standards set by OWASP and baking security into every step of the SDLC not only made DevSecOps inexpensive and easy to deal with but also bought peace of mind from the whole team, who can now spend more time in a conga line instead of the issue queues.

Wait? What? Does not sound like you, or sound like some kind of pipe dream? That’s most likely because you are thinking of security as a set of tools or a specific department, instead of embracing the principles of the Open Web Application Security Project, OWASP. Thousand of the leading minds in security have contributed a lot of time and effort to lay out easy-to-follow guidelines and checklists that you can follow to make security much more manageable.

Yes, security incidents happen to all of us from time to time. But following the best practices, gathered and learned by industry leaders, can help you have a much better time while achieving better security throughout your organization.

In this talk you will hear:

Horror stories of security gone wrong
Navigational advice for parsing the OWASP offerings
Practical advice on how to test like a pro
Some immediate action items which won’t require any new tech investments to start down a better path.

Scaling Security: What Shifting Left Was Supposed To Mean

"Shifting Left" has become an industry buzzword that, to some, means they will finally get the organization to take security and DevOps seriously. But unfortunately, not everyone sees eye to eye on this subject yet. For a lot of people on the left side of the equation such as developers and platform engineers, this can seem like an oncoming avalanche of standards, 40+ page PDFs, and requirements that come from teams that might have never actually talked to the end customer.

In the average organization, the size of the dev team is much larger than the security teams, sometimes by truly staggering amounts. Shifting Left can mean everyone works cohesively to make sure security is implemented, tested, monitored, and reported effectively. We will walk through some of the best practices toward this common goal being implemented and popularized right now, with the goal of revealing the single underlying truth that shifting left can be a very positive thing for everyone involved.

In this session we will walk through:
- A brief history of DevSecOps
- That sharing security responsibility was supposed to solve
- Where the disconnect is happening on most teams
- Approaches to better security throughout the SDLC with minimum disruptions

How Mature Is Your Secrets Management Strategy?

One nagging question keeping security folks up at night is "How do I know how secure my secrets really are?" Wouldn't it be great if there was an easy-to-use guide to help you determine how mature your secrets management strategy is now and a simple roadmap for improvement?

Good news, there is one.

What Git Metrics Can Tell You About Your Team

As Lord Kelvin said: “If you cannot measure it, you cannot improve it.”
It is vital to the success of every team that you have metrics and those metrics are simple to track. But what do you measure? For DevOps teams at least, the answer is more and more clear thanks to the work by Google Cloud’s DevOps Research and Assessment, also known as DORA.

Even if you are not ready to take the full plunge to adopt all the practices and methodologies they prescribe, taking stock of the surprising amount of data that already exists around your DevOps practice is an incredible step towards building a more manageable team with overall better success.

In this session we will cover:
- Why DevOps success is hard to quantify
- What the DORA team uncovered
- How to do a base level assessment of your current path
- What options exist to better capture data and tune your organizational practices

Git - The Other DB You Need To Know

Ask anyone managing a database and they will tell you there is a lot you need to track outside of the database. You need to manage server configuration settings, user access info, and documentation, just to name a few things. And then there are all the testing code snippets and other software tools and setting you to need to keep in order. It can get messy and complex quickly.

The good news is that with a slight modification to your existing workflow, anyone managing a DB can track all the work that lives outside the DB using Git. At its core, Git is a DB for tracking changes in files, no matter what is in them. Not only can it help you keep track of your work locally, but it can also help you share your work and make onboarding new folks a lot simpler.

In this session we will explore:
- Implementing a basic Git workflow
- To CLI or Not CLI?
- Branching for separation of concerns
- Time traveling through previous work
- Sharing your work safely

Git - Beyond Just Committing

Git - Beyond Just Committing!

At this point, all developers likely understand the need for version control for collaborating with their codebase. Further, most devs have mastered the basic art of Git commands like add, commit, branch, merge and pull requests.

Sure, Git tracks project snapshots over time, but did you know you have complete access to all of those changes, even ones you might think you have lost from a reset!

This talk will feature discussions of some of the hidden gems inside Git and a new way to think about your workflows!

Come out for a high-level discussion of:
Git squash - clean up your commit history!
Git rebase - clean up your graph!
Git cherry-pick - moving just what you want!
Git reflog - see EVERYTHING Git does!
Git gc - speed up Git!
Git hooks - trigger automatic actions with Git events!
Git worktree - no need to use stash to switch branches!

Stop Committing Your Secrets - GIt Hooks To The Rescue!

No one wants their keys and secrets on GitHub, but one bad push can mean you are suddenly exposed. In the best-case scenario, you discover the issue and fix it before something bad happens, but in the worse case, you don’t find out until it is far too late.

Most devs are familiar with using .gitignore files to prevent Git from tracking specific files and folders, but did you know that you can leverage Git hooks and some open source awesomeness to keep you from accidentally committing your secrets in the first place?

If you are not actively using Git hooks in your workflows, then this talk is for you. Let's look into the .git folder and unlock a whole world of automation possibilities!

While this talk is primarily aimed at junior devs who are still learning the ropes of security and repo hygiene, anyone who is using Git only at the surface level can benefit from a deeper dive into the possibilities Git can really offer.

Demystifying Git - Version Control From First Principles

Git is the defacto standard version control system in use today. Every developer learns the basics of add, commit, branch, merge, pull, and push, and that is about all they learn about Git.

However, if you ask how Git actually works under the covers, most people will tell you they don't really know. Worse yet, when most developers see Git output messages like "detached HEAD state" or "CONFLICT (content): Merge conflict", they get a stress-induced panic.

This session will peel back the shroud of mystery that envelops Git, showing that there is nothing overly complex or terrifying about the inner workings of the world's most popular version control system. This talk is for everyone, from the complete Git novice to folks who have been pushing code for years but maybe have never stopped to look at how Git does its thing.

In this session we will cover:
- A tour of .git folder
- Branches might not be what you think they are
- Rebase is your friend, I swear!
- How reflog can save the day
- The power of Git bisect
- And more....

This session is aimed at beginners and advanced Git users alike and is meant to remove the fear of Detached HEAD state and the other terrifying messages Git tends to present.

Developing For The Web Without Leaving The Browser

One of the most daunting parts of getting started as a developer is setting up your local dev environment. Sorting out all the needed parts can take hours or days, depending on the speed of your machine and the complexity of the project. For non-developers, the learning curve is terrifying and stops a lot of aspiring devs before they even have a chance to write HELLO WORLD.

Fortunately, as technology has shifted to the cloud, things have gotten a lot better! The limitations of needing a hearty processor and a ton of RAM need no longer be an obstacle. On-demand pre-configured development environments are now a reality thanks to platforms like Gitpod, Microsoft's VS Code for the Web, and GitHub's CodeSpaces.

This shift in technology is enabling an entirely new generation of coders to learn and develop without needing to overcome the hurdles of buying and setting up a new dedicated machine. For enterprises with dozens or hundreds of developers, the potential upside to shifting to browser-based development is enormous and should not be ignored!

Walk away from this session with a better idea about:
- How traditional local dev environments are secretly draining your resources
- Overcoming onboarding dread
- The reality of no more underpowered local machines
- Why "it worked on my machine" will soon mean it worked in Dev and Production
- Making your own transition plan

This session will involve some live coding if possible, can be shows in video but live coding drives the point home a bit more, so needs a good internet connection.