In response to the world’s increasing dependence on digital infrastructure we need an approach to security in the context of human factors, adversary motivations and social impact. Software has become a foundation of our modern world, and we developers face a scary responsibility that comes with the fact that our code will be used in ways we cannot anticipate, in ways it was not designed, and for longer than it was ever intended. It will be attacked by talented and persistent adversaries who threaten our physical, economic and national security.
If we developers recognize these things – we have to choose to be rugged. Learn more by watching the videos in the Security and Rugged track at GOTO Amsterdam 2016 below.
Even Faster: How Rugged DevOps & SW Supply Chains Attack Developer Waste
with Joshua Corman, CTO at Sonatype
With continuous development, we write less code and consume more re-usable open source code. We are getting faster and more efficient. But this innovation also accelerates complexity and complexity is the enemy of quality. Poor quality creates unplanned/unscheduled work. Re-work creates a drag on development speed. It’s a continuous loop.
Couple this complexity with the fact that this past year was open season on open source. Heartbleed, Bash Bug, Shellshock… For many it took days, weeks, even months to determine if they were impacted, where they were impacted and then make the appropriate fixes. That’s a lot of unplanned work. And those are just the vulnerabilities that made the headlines.
The good news: other industries have figured this out with supply chain management. Applying supply chain approaches to software raises the bar on continuous goals.
A few of the patterns we can take from the rigor of things like the Deming and Toyota Supply Chain:
- Scrutinize the number and quality of your “suppliers” – and highest quality parts from those suppliers
- Improve traceability and visibility
- Ensure prompt agile responses when things go wrong
Josh will show that you can deliver applications on-time (even faster), on-budget (even more efficiently) and with a natural byproduct of higher quality and less risk by embracing supply chain principles as you embrace micro-services, containers, and continuous everything…
Rugged: Being Secure and Agile
with Michael Brunton-Spall, Senior Technical Architect at the Government Digital Service
I believe that agile methods of development and operation can lead to more securely designed and operated systems than is possible via non agile methods. But doing so requires work and thought.
Agile methodologies however have generally been said to be incompatible with traditional security governance and risk management structures.
Something needs to change and in this talk, I’ll show you how we can change the way we approach security to enable rapid development, changing requirements and yet produce a system that is more secure.
Secure Coding Patterns
with Andreas Hallberg, Security Software Engineer at TrueSec
What is “secure code”?
This session will introduce you to a safe mindset when developing applications. You will learn how to make the concept of trust a first class citizen in your code, how to make validation enjoyable (ok, at least not insufferable) and know what to look for when reviewing code for security vulnerabilities. Secure coding patterns will make your code cleaner, more robust and less likely to cause your user table to end up on pastebin.
Embrace the Past: How Software Evolution Lets You Understand Large Codebases
with Adam Tornhill, Founder and CTO at Empear
To understand large software systems we need to look beyond the current structure of the code. We need to understand both how the system evolves and how the people building it collaborate. In this session you’ll learn to mine social information such as communication paths, developer knowledge and hotspots. It’s information you use to improve both the design and the people-side of your codebase. The techniques you’ll learn are based on software evolution. They use data from the most underused informational source that we have in our industry: our version-control systems.
You’ll see how that information lets you identify code that’s hard to maintain, code at risk for defects and even detect architectural decay. Each point is illustrated with a case study from a well-known codebase like Roslyn, ASP.NET MVC, Scala or Clojure. This is a new perspective on software development that will change how you work with legacy systems. Come join the hunt for better code!
Remove and Prevent: Dealing with Bugs in Software and Systems
with Diomidis Spinellis, Professor at the Athens University of Economics and Business
Finding and fixing errors in computing systems is an important and difficult task. Often debugging consumes most of the time in a developer’s workday; obtaining the required experience can take a lifetime. The talk categorizes, explains, and illustrates methods, strategies, techniques, and tools that can be used to pinpoint elusive and pestering bugs. The talk’s aim is to provide an overview of the complete debugging landscape: from general principles, high level strategies, and behavioral traits to concrete techniques, handy tools, and nifty tricks.