Caligin Tsukihara @caligin@octodon.social
Errorist. Weeaboo. Security Sleepwalker & BevOps @ ThoughtWorks UK (Views are mine etc...). 0x7AD2E918B3D5FFB7
Interesting Equifax struts vuln timeline with numbers though:
1649 days to patch,
7 days to publish on NVD, 144 days between hack and discovering breach. #DevSecCon
Unsurprisingly, everyone's mentioning the Equifax breach. This is the second talk that tells the whole story of the vuln. #DevSecCon
My earlier toot about sponsor talks was in fact unfair: some are "random self-contradicting blabbering* "by the way this is our tool buy it".
And some others are actually very informative! #DevSecCon
In the context of containerized architecture: "Question everything and continually evaluate trust" #DevSecCon
@alanfranz Welcome to the fediverse!
Oh, its actually a sponsored talk about a report-sharing-collaborative-tables-and-numbers-and-red-and-green-arrows tool. all make sense now. #DevSecCon
"Shift left is not enough, you need to expand and make everyone aware and on board that they need to apply security at all phases" -- wait, isn't that what shift left means? #DevSecCon
"Devs don't like having to run SASTs and having to do a lot of stuff, you need to give them just the small things that they need to really do to pass their security audit."
This sounds like encouraging the very wrong practice of security by boxticking and it's a very bad message to send out. #DevSecCon
Whoops noticed just now that I keep getting the hashtags wrong swapping #DevSecCon with #DevSecOps lol
Speaker showing a diagram with an agile sdlc lifecycle in a circle, at some point there is "feature complete? Yes another iteration / no exit" ... but projects/products never end! They either die or need maintenance and evolution. #EvolveOrDie #DevSecOps
"Shift left is relative to context, is your thinking model right-to-left? Or maybe top-to-bottom?" #DevSecCon
ohgawd please stop saying docker! he managed to say it 12 times in 4 phrases #DevSecCon
Animated diagrams from an isometric view though, slick af! I'm genuinely impressed. #DevSecCon
Every sponsored talk ever: "Hey, I'm not here to sell our product, but here's a brief commercial of our product, and here are the tech details:"
*Spends 40 minutes showing slick diagrams and repeating that it integrates with anything and everything* #DevSecCon
Wait what, is this a thing?? #Docker on #mainframes? https://containerjournal.com/2017/08/17/docker-extends-caas-reach-mainframes/ #DevSecCon
"Now problems are created at scale" #DevSecOps
"People are wonderful... attack vectors." #DevSecCon
Subresource Integrity: you can have the browser verify hashes of resources included in a page
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity #DevSecCon
TIL this is available in Chromium's devtools: https://developers.google.com/web/tools/lighthouse/ #DevSecCon
Project is in its infancy, needs contributions! #DevSecCon
