In order to continuously improve the security of its digital products, Information Security of Swiss Post operates a private bug bounty program. In this workshop, you will meet the team behind it and will get an overview of the benefits and challenges that a large organisation is facing when dealing with ethical hackers. One of our best bounty hunter will show you how he found some of the most critical vulnerabilities in the System of Swiss Post. Then we will follow the bug trough the bug bounty platform that we are using directly on the desk of one of our most tech savvy developers. He will show you some great code and explain what our security champions do in order to learn from the collective intelligence of a global hacking community.

Integrating Zero Trust into your SDLC Security has been synonymous with a "secure your perimeter"-model – i.e. enforce and protect your walls and then your castle should be safe. The rise and complexity of cloud computing has not necessarily made this model defunct, but it needs extending more than ever before.

This talk is focused on developers in helping them understand:

• Where is today’s perimeter anyway?
• What can firewalls protect and when they fail the soft centre of our castle
• Moving from physical network segmentation to logical micro segmentation
• Principles of Zero Trust
• Zero Trust as Code
  

After successfully merging the Dev and the Ops silos it's imperative now to integrate the Sec silo as well to reduce the threat attack surface of modern, hybrid cloud infrastructures.

Most infosec professionals are aware of the massive First Financial Corporation data breach that leaked 885 million sensitive documents in 2019. The damage was caused by a vulnerability called IDOR (Insecure Direct Object Reference) that was present in a First Financial Corporation web application. OWASP (the Open Web Application Security Project) recognizes IDOR as one of the top 10 security vulnerabilities for 2020. IDOR falls into the OWASP category known as Broken Access Control. IDOR is arguably one of the most difficult vulnerabilities to systematically detect and defend against in an enterprise codebase. Its ease of exploitation and potential high impact makes it a very high-risk vulnerability. What should developers do? Most industry experts advise them to “think like a hacker,” actively exploring possible attack vectors and implementing access control checks before manipulating resources. They also recommend manual code reviews. While these are good recommendations, they require developers to know how, when, and where to implement access control checks. And, they create a lot of additional manual work. Industry recommendations for QA are somewhat similar: think about attack vectors and make sure to write an extensive set of test cases to cover all potential scenarios. The number of necessary test cases can be immense as IDORs appear in URL parameters, form field parameters, file paths, headers, and cookies. Again, the recommended “best practice” involves a lot of additional manual work. Security officers are encouraged to arrange for manual code audits, which do not scale easily and are expensive. Commercial classic rule-based static code analyzers (SAST) should be able to help in theory, but they produce a lot of false positives and often prove more trouble than they are worth. Modern dynamic code analyzers (DAST) are based on traditional fuzzing techniques and are not suitable for IDOR. This is because traditional fuzzing seeks to break an application with the assumption that crashes indicate the presence of vulnerabilities. This is ineffective since IDOR does not typically crash an application but allows a malicious action to succeed. Our goal was to break through the manual work and provide an efficient automated detection and remediation solution that is effective against IDOR. We were inspired by recent academic advances in defining patterns of vulnerabilities from code representation graphs, the rise of graph query languages (Semmle etc.), and advances in graph neural networks. Integrating all these ideas, we started our journey to automatically find IDORs in targets ranging from applications, libraries, APIs and microservices.

You managed to introduce an agile development and operations process to your team(s). And now? How can you add security to your DevOps and get to the next level? Join us on our journey and see the tools and processes we tried and learned to value. Listen to our experiences so you do not have to make all of them yourself.

Learn how to decouple authorization checks from your application using Policy as Code, implemented by the open-source software "Open Policy Agent" (OPA). We want to show how it applies to our use cases at Swisscom Cloud Native environment and complement our explanation through a demo.

In a world where the cybersecurity applications are day after day more protected and solid, the most malicious attackers decide to target the weakest ring of system: the human. Through this presentation we will discover what are the social engineering attacks, how they are defined, how they are performed and how they can be identified before the attacker might be able to gain the access to the most sensitive information.

Alibaba offers full technology stack of Big Data and AI, from data storage to analytics and then Visualisation. To name a few, Dataworks, Maxcompute, OSS, EMR, ADB, PAI, Quickbi, DataV, etc. In this session, I will first give a general overview of what Alibaba offers and how you can use them for your business. I will focus more on Dataworks and PAI platform and make a small demo.

With the ever-increasing flow of data, comes the industry focus on how to use those data for driving business & insights; but what about the size of the data these days, we have to deal with? The more cleaner data you have, its good for training your ML (Machine Learning) models, but sadly neither the world feeds you clean data nor the huge amount of data is capable of fast processing using common libraries like Pandas etc. How about using the potential of big data libraries with support in Python to deal with this huge amount of data for deriving business insights using ML techniques? But how can we amalgamate the two? Usually people in the ML domain prefer using Python; so combining the potential of Big Data technologies like Spark to supplement ML is a matter of ease with PySpark (a Python package to use the Spark’s capabilities).

We take algorithms for granted and assume that they are unbiased and neutral. An algorithm by definition, according to Merriam-Webster, is a “set of rules a machine [... specifically a computer] follows to achieve a particular goal.” As these rules are designed by humans, they can contain flaws that can lead to biases. A few outliers are expected, but when it leads to bias against certain groups, it can be problematic. Let's take an example - a few years back, Amazon attempted to create a hiring algorithm to efficiently select candidates. However, due to the nature of the historical data used to train the algorithm, it was biased against female applicants. The goal of this talk is to educate on algorithmic bias, present case studies to highlight the adverse effects of algorithmic bias, and address prevention strategies.

Women in AI (WAI) is a global network of female experts and professionals in the field of Artificial Intelligence working towards gender-inclusive and ethical AI that benefits a global society. Our mission is to close the gender gap in the field by educating the next generation of female leaders in AI and to increase female representation and participation in Artificial Intelligence.

About the hosts

Carina Zehetmaier is a speaker, CEO & Co-founder, and legal expert with several years of experience working in international organisations and foreign affairs. She has profound knowledge of human rights law, diplomacy and world politics. She is passionate about entrepreneurship and new technologies, especially artificial intelligence, and the interlinkages with law, ethics and society.

Sheila Beladinejad is the founder and CEO of O Canada Tech. She has 20+ years of experience in Software Engineering with a special interest and expertise in Artificial Intelligence evaluation. She helps Private Equity firms going through the merger and acquisition process by providing technical due diligence assessments of the target companies’ software infrastructure. Additionally, she works with executive management teams of technology companies to define and execute strategic roadmaps for digital transformation and adoption of AI. She is the Global Head of Partnerships for Women in AI & the Ambassador of Munich. She also has an advisory role for Greentech Alliance non-profit organization.

Deep Neural Networks and Language Models built on top of them have seen a lot of hype over the past couple of months, especially in the GPT family of techniques. However, is this hype really deserved? What relationships and patterns do these models end up learning? Do they really reason and internally represent abstract concepts? Most importantly, how does this generalize to applications of Deep Neural Networks outside of Language Modelling? We'll decipher this situation and find the answers to these questions with a bottom up approach.

This talk is a quick deep dive into addressing the gender gap in DevOps and what we can do to close it. We believe that a balanced and diverse workforce drives innovation. Why is so important to grow and retain Diverse DevOps teams – join Lauren and Antonia from Women in DevOps to find out.

This quick we will be focusing on how important your HR is to your business. How diversity should affect your hiring strategy and people goals and just how big the impact is on the bottom line & culture for your teams. Join Women in DevOps speaking with Nancy Nemes, Kate Kosten and Ana Gospodinova to talk all things, diversity, inclusion and HR!

About the panelists

Francesca Pollard is the Co-Founder of Women in DevOps and unapologetically passionate about diversity in inclusion in the technology world. Francesca has a wealth of experience hiring for software engineers across Europe over the last 3 years for world-class start-ups, FTSE 100 and everything in between! With that brings intrinsic insight to how to hire diverse teams, and why they are so important!

Kate Kosten currently works as a researcher at the ZHAW and is jointly pursuing a PhD at the University of Fribourg. The main focus of her research is natural language query processing for databases. Before moving back to research, she worked in the innovation team at ABB developing chatbots and Machine Learning solutions for data quality improvement.

Nancy Nemes is a tech trendsetter, a global connector and a hands-on leader with 20 years of global experience in high tech across Europe, USA, Canada and South America. Her passion is in pioneering, implementing and optimizing the impact of mobile, digital, and social high tech aiming at enriching people lives through digital solutions.

Ana Gospodinova has over 15 years of experience mainly focusing on tech recruiting and company performance improvements. She gained her experience in both startup and corporate environments. Ana designed and implemented global tech talent sourcing strategies, long & short term approach to building external talent pipelines of “ready now” talent (strategy, structure, systems & programs), defined goal-setting approach and program efficiency metrics. She worked with businesses on focused initiatives with a world-wide impact. In the past 4 years, Ana is passionate about bridging technology and recruitment, aiming at improving the developers’ job-seeking experience.

What is #IamRemarkable?

#IamRemarkable is a Google initiative empowering everyone, particularly women and underrepresented groups around the world to speak openly about their accomplishments and promote themselves in the workplace and beyond. It’s one step in breaking through modesty norms and company glass ceilings. The #IamRemarkable workshop is an interactive, small-group digital session that runs live for 90 minutes and is hosted via Google Meet.

How #IamRemarkable works

• Self-promotion matters – Many of us struggle when it comes to talking about our personal accomplishments. Cultural and gender modesty norms as well as impostor syndrome can prevent a person from acknowledging their remarkable attributes and expressing their greatest achievements.
• #IamRemarkable goals – (1) Improve the self-promotion, motivation and skills of women and underrepresented groups. (2) Challenge the social perception around self-promotion.

The workshop

During the 90-minute workshop, you’ll be encouraged to challenge the social perception around self-promotion. You’ll explore the importance of self-promotion in both your personal and professional lives. Finally, you’ll leave the workshop equipped with the tools to develop this crucial skill.

Thanks for registering. The workshop is already fully booked!

In this talk, we will explain how Helvetia Versicherungen is dramatically improving internal processes and increasing developer happiness. This is achieved by automating manual work as well as reaping the benefits of moving to the cloud where we can quickly and efficiently deploy and provision services using a GitOps based approach.

"Progressive Web Apps" describe a set of new browser features that allow us to develop app-like experiences using web technologies. This talk will give you a brief overview of the exciting new possibilities (like offline capabilities, push notifications and an integrated UX), as well as their risks and do’s and don'ts.

Everyone talks about Cloud-native Application Development nowadays. But what does it actually mean? In this talk, we want to try to define what the characteristics of Cloud-native Applications are and what benefits they offer. In some specific examples, we try to show how to implement Cloud-native principles.

In this session am going to explain about how to work with Functions Triggers using Azure Event Grids in Azure Blob Storage.

Documentation is not one of the favorite tasks in everyday software development. Either there is hardly any documentation or too much. This makes it difficult to find information. A lightweight approach is the arc42 template. It also documents design decisions that shape the software architecture. Undocumented design decisions can lead to incorrect follow-up decisions that can cause the project to fail. But how can many decisions be documented efficiently and comprehensibly? This presentation will introduce a compact format called Architecture Decision Records (ADR) and show how they can be used efficiently. In addition to small details such as title assignment, a proposed solution is shown for dealing with a large collection of design decisions (>50). The Docs As Code approach is used. Through tagging and an efficient search, the documentation becomes a daily work tool.

In this presentation, learn why Bitcoin SV is the massively scaled blockchain to meet developer needs, re-invent the Internet, and open career opportunities for developers (such as a new job category: Bitcoin script engineer). Bitcoin SV is the only project that adheres to Satoshi Nakamoto’s original protocol, design and massive scaling vision for Bitcoin to become a global data ledger for enterprise, in addition to a peer-to-peer electronic cash system. By solving the scaling problems other blockchain platforms (like Ethereum) are facing, Bitcoin SV enables greater data, micropayments and technical capabilities. The Bitcoin SV Blockchain has seen application development explode globally, with now over 400 known ventures and projects. By learning about Bitcoin SV, developers can prepare themselves to build powerful enterprise applications, launch their own start-up ventures, and be at the forefront of new blockchain jobs.

Blockchain Technology offers incredible use cases besides crypto-currencies. Applications in Supply Chain Management, Self-Sovereign Identity, Certificates, Escrow are all based on Smart Contracts. This session gives a brief introduction into Smart Contracts and take a first step towards DApp (Distributed App) development. Get to know some of the development tools and take a step into the Blockchain Ecosystem.  

‍

Blockchain is not about money. But how does it influence business and does it have the stamina to also affect our society?

About the panelists

Paula Pettit is a serial entrepreneur who successfully exited her first two startups. She has been in the blockchain industry for the past 3 years, and began her journey by co-founding Bitfract, a portfolio management tool that was later acquired by ShapeShift. She now works as the Head of Business Development at Linum Labs, a global blockchain consultant and development company.

Steve Shadders has been involved in Bitcoin infrastructure since early 2011. As one of the first authors of open-source mining pool software "PoolServerJ," he was at the forefront of implementing new features like merged mining and local coinbase generation that are in common use today. Steve was actively involved in BitcoinJ project as one of the earliest contributors and still uses it today as his staple Bitcoin library. Today, Steve heads up nChain’s engineering team and is the Technical Director of the Bitcoin SV Node project. He is passionate about the future role of Bitcoin in reshaping the world. In his own words, it is disruptive technology with “more potential to change the world than the printing press.” In his role, he contributes his ecosystem-wide perspective to support building the mining and UX infrastructure needed to enable Satoshi’s Vision to be realized.

David Case is Chief Architect of Kronoverse. They are building a platform to bring blockchain gaming to the mainstream. Their first release is Cryptofights, which is currently in open beta. They have been building on BSV since just after the BCH fork, and working on taking advantage of it massive scaling capacity.

The presentation will introduce the Lisk SDK and how it is used to build blockchain applications. We will give an in-depth explanation of the new Lisk SDK Architecture and the three ways to build, extend, and interact with a blockchain application built with the Lisk SDK. Therefore, the talk will cover aspects such as extending the distributed ledger-based on your business requirement, providing extended APIs for external third-party apps, or scripting some utilities to interact with blockchain application on the command line.

Distributed Ledger Technologies are here to stay. What started as an enabling technology for Bitcoin has now become a core platform for businesses and organizations around the world. Applications range from food safety, through trading all the way to fighting COVID-19. Marta will discuss DLT adoption in the enterprise world and the use cases Hyperledger members are implementing today, in production.

Its been a long day of interesting talks and learning! We hope you have had fun. Tomorrow is DevOps Day! 2020 has meant we can’t all be together, but that doesn’t mean we can’t network with a beer!

When you’re new to an industry, you encounter a lot of new concepts. This can make it really difficult to get your feet underneath you on an unfamiliar landscape, especially for junior engineers. What does DevOps really mean? What’s all this software? What’s all this jargon? Is DevOps a methodology, or a toolset? Is any of this actually going to make my life easier, or is it just a bunch of industry buzzwords? We'll answer all of these questions (and more) during this hands-on workshop, and get you set up with an end-to-end DevOps solution to automate your build artifact storage, vulnerability detection, testing, and deployment. For-profit and glory!

Prerequisites

1. JFrog SaaS account – This is free, no credit card required. It includes access to Artifactory, Pipelines, and Xray, with a limited amount of storage, transfer, and build minutes.
2. Docker – The Docker client should be installed and configured on your machine.
3. Python3 – We will need to run a hello world Python application. Python 3.6 or higher is required.
4. Code editor – Whatever you are most comfortable with. I will be using SublimeText.

Workshop course outline

• Intro to DevOps: What is the definition of DevOps? What does DevOps mean for developers? What is all of this jargon?
• Artifactory Module: Why do you need to manage your build artifacts? Binary repository setup in Artifactory (PyPi, Docker). JFrog CLI.
• Pipelines Module: What is CI/CD? Pipelines integrations. Writing a "Hello world" pipeline. Deploying an application.
• Xray Module: Why do devs need to worry about vulnerability detection and license compliance? What about security and license policies? How to scan a build. How to read the results. ‍
• Wrapping Up: What are the next steps?

"During the life cycle of a project, it can be easy to build a CI/CD pipeline with just speed and resources in mind. This also makes it easy to leave the security of your pipeline as an afterthought because of how tedious it can be to build a pipeline to begin with. In this talk, we'll look into the different ways an intruder can compromise your pipeline and how you can build in security as you create and update your pipelines.

Some things we will consider include how easy it would be for an intruder to get your environment variables, how well defined your permissions are, and if there are any third party services or bugs that could be exploited. We'll look at a comparison of a few CI/CD tools and how you can handle these concerns in their respective ecosystems. By the end of this talk, you should feel comfortable doing a quick pipeline security audit and fixing some security concerns in multiple CI/CD products."

Transitioning from delivering software to customer premises with little visibility on production systems to a proactive monitoring methodology of cloud environments provides substantial results: reduced system failures in production, issues being tackled before they can impact the customer experience, and shifting from a reactive approach to proactive observability.

DevOps is not the realm of startups or Silicon Valley giants only. What are the strategies to keep in mind when introducing DevOps to a company with a vast digital portfolio? And more important: How do you stick with it and deal with different release cycles?

About the panelists

Adrian Kosmaczewski manages Developer Relations at VSHN, the DevOps company. He is a software developer since 1996, a trainer, and a published author. Adrian holds a Master in Information Technology from the University of Liverpool. When not coding or teaching, Adrian likes to spend time with his wife Claudia, his cat Max, and his Olivetti Lettera 22 typewriter.

Aubrey Stearn is a hands-on CTO; she's worked in Financial Service, Retail, Hospitality sectors. Frequently found speaking at DevSecOps events mostly in London, she keen to take the movement to the next level with continuous compliance and RegTech innovations.

Gregory Ouillon is the CTO for New Relic in EMEA. In this role, he supports customers across EMEA as they adopt modern technologies and transform digitally. Greg brings extensive experience as Engineering and Product leader, turning new technology into global services, developing high-tech innovations and scaling them up into profitable businesses. Greg worked in leadership roles at SITAONAIR, SITA, Orange Business Services and Equant, in the ICT and Aviation sectors.  He managed product P&Ls, strategy, innovation and transformation, engineering and software development, technology and product lifecycle, service creation and management.

Nočnica Fee is a hardware hacker, programmer, and writer living in Portland Oregon. She works as a developer advocate for New Relic specializing in serverless. She has 35 houseplants and loves woodworking, something she is not good at. Publications include The New Stack, Diginomica and Forbes.

Serverless is a powerful new offering from large cloud providers, but teams who have dived in discover real problems with team communication and collaboration when adopting serverless. I'll show you the techniques and planning you need to get your team ready to deliver serverless applications.