Gone are the days when application security was an afterthought, tacked on at the end of the development process. In a world of cloud-native microservices and continuous delivery, security pros need to reconsider the role and the place of security in the software development lifecycle. It’s going to require fresh thinking, fresh approaches, and fresh tools.
The process of modernizing security for cloud-native software is already underway and is well represented at this year’s SpringOne Platform 2018, which takes place September 24 to 28 in Washington, D.C. SpringOne is the premier cloud-native software event, with thousands of developers, platform operators, CIOs, and, yes, security pros gathering to collaborate, share knowledge, and create transformational software.
There are no fewer than a baker’s dozen security-focused sessions at this year’s event, indicative of just how important security is to enterprises adopting modern software development. As you make out your agenda for the show, refer this handy guide to security at SpringOne Platform. And remember, stay safe out there!
Day 1: Tuesday, September 25
Did you hear something? I think there’s a burglar trying to break into our Spring Functions! Oh wait, it’s just Snyk CEO Guy Podjarny. In this session, Podjarny explores the challenges and offers solutions to securing Spring Functions by exploiting their vulnerabilities live on stage. He’ll explain what led to the vulnerabilities in the first place and show how you can avoid making the same mistakes yourself.
When: 2:40 to 3:10 pm
Speaker: Guy Podjarny, CEO, Snyk
Cloud-native data is getting a lot of attention recently, as well it should. Managing and using data in cloud-native environments such as Pivotal Cloud Foundry requires new ways of thinking, particularly when it comes to data security. In this session, MongoDB Senior Consulting Engineer Diana Esteves illustrates how developers can use CredHub to quickly and easily store MongoDB secrets, including passwords and other credentials, all running on PCF.
When: 3:20 to 3:50 pm
Speaker: Diana Esteves, Senior Consulting Engineer, MongoDB
Developers rely on automated delivery pipelines to build and ship software users love at the speed they require. But what about security? How can teams secure image pipelines with the same speed and efficiency? In this session, VMware’s Merlin Glynn, Product Line Manager for vSphere Integrated Containers, and Thomas Kraus, Senior Architect for the VMware Cloud Native Apps BU, show how development teams can use Pivotal Container Service, Harbor, and Concourse to secure delivery pipelines.
When: 5:00 to 5:30
Speakers: Merlin Glynn, Product Line Manager, vSphere Integrated Containers, VMware
Thomas Kraus, Sr. Architect VMware Cloud Native Apps BU, VMware
We all know that two-factor authentication is a great way to make access online consumer services more secure. Turns out, it’s also effective for securing access to applications and services running on Cloud Foundry. In this session, T-Mobile’s Komes Subramaniam, Principal Software Engineer, and Senthil Velusamy, Sennior Director of MTS Domain Architecture, introduce attendees to the T-Mobile Authentication and Authorization Process, or TAAP, which the mobile carrier designed to address several limitations and security issues with previous approaches to two-way SSL.
When: 5:40 to 6:10 pm
Speakers: Komes Subramaniam, Principal Software Engineer, T-Mobile and Senthil Velusamy, Senior MTS Domain Architecture, Director, T-Mobile
Day 2: Wednesday, September 26
Everyone wants secure applications, but securing applications can be challenging. The challenge gets tougher still when it comes to applications made up of many individual microservices, each with their own security vulnerabilities to consider. So the easier it is to build security into your microservices upfront, the better. In this session, Pivotal Platform Architect Adib Saikali explores how standards such as JWT, JWA, OAuth2, OpenId Connect and others can be combined to make writing secure microservices easy-peasy.
When: 11:30 am to 12:40 pm
Speakers: Adib Saikalim, Platform Architect, Pivotal
Why patch servers when you can rebuild servers in less time, with greater consistency, avoiding human error, without customer downtime, and be home in time for lunch? You don’t! Lance Rochelle, Product Manager at Wells Fargo, discusses how the bank’s platform team regularly rebuilds servers running PCF and the related benefits to security and compliance.
When: 12:10 to 12:30 pm
Speaker: Lance Rochelle, Product Manager at Wells Fargo
If you’re continuously integrating and deploying software, shouldn’t you approach security the same way? The answer is yes, but for many organizations application security is still a time-consuming, manual process. This often leads to bottlenecks in the the software development lifecycle and the introduction of CVEs by well-meaning developers. In this, Contrast Security Co-Founder and CTO Jeff Williams discusses the concept of continuous application security and steps you can take to get there.
When: 2:00 to 2:30
Speaker: Jeff Williams, Co-Founder and CTO, Contrast Security
Reactive programming is a great, declarative approach to building applications and is particularly well-suited to applications that need to quickly react (get it?) to asynchronous data streams. But how do you effectively secure reactive applications? In this how-to session, Rob Winch, Spring Security Project Lead at Pivotal, walks you step by step through the process using Reactive Spring, highlighting new features in Spring Security 5.1, and answering your frequently asked questions.
When: 2:00 to 3:10 pm
Speaker: Rob Winch, Spring Security Project Lead, Pivotal
Security in a DevOps world requires a change of thinking. Specifically, security professionals need to stop thinking of themselves as gatekeepers that application developers must navigate to get their software into production and start thinking of themselves as self-service toolsmiths and coaches, argues Comcast’s Larry Maccherone. In this session, Maccherone, DevSecOps Transformation Lead at company, illustrates how this approach works in practice at Comcast and how it can be applied at your enterprise.
When: 3:20 to 3:50 pm
Speaker: Larry Maccherone, DevSecOps Transformation Lead, Comcast
You’ve probably heard of the Security Assertion Markup Language, or SAML, one of the most popular federated identity management standards out there. But how well do you understand it? The open security standard that enables credential sharing across multiple computers on a network can be a bit mystifying. In this session, Pivotal Senior Staff Engineer Filip Hanik and Product Manager Sree Tummidi break it all down, providing an overview of SAML and show how to build a SAML service provider using the latest versions of Spring Security and Spring Boot.
When: 4:20 to 5:30
Speakers: Filip Hanik, Senior Staff Engineer, Pivotal and Sree Tummidi, Product Manager, Pivotal
Hey … want to know a secret? Yea? So does everybody else. That’s why it’s critical to safely and securely store platform and application secrets, such as passwords and other credentials, using a air tight secrets management tool such as CredHub. This session with Pivotal Platform Architect Peter Blum and Software Developer Scott Frederick looks at how to enhance security within Cloud Foundry and applications running on the platform with CredHub.
When: 5:00 to 5:30
Speakers: Peter Blum, Platform Architect, Pivotal and Scott Frederick, Software Developer, Pivotal
How do you provide comprehensive security for legacy software and new, modern applications running in a variety of environments, including on-premises and in the public cloud? Liberty Mutual Security Architect Matt Ruel provides an overview of the insurance giant’s approach to hybrid cloud security with PCF.
When: 5:00 to 5:30 pm
Speaker: Matt Ruel, Security Architect, Liberty Mutual
The Department of Defense is a ripe target for bad actors, state-sponsored or otherwise. But the agency also needs to develop cutting-edge applications to meet its mission requirements. How does the DoD innovate while staying secure? The answer is Pivotal Container Service. In this session, Pivotal Senior Platform Architect Chris Saunders and VMware NSX Staff Systems Engineer Jason Scanga cover strategies for securing applications running on PKS at the DoD.
When: 5:40 to 6:10 pm
Speakers: Chris Saunders, Senior Platform Architect, Pivotal and Jason Scanga, NSX Staff Systems Engineer, VMware
Day 3: Thursday, September 27
You've heard the expressions, "It's like changing the tires on a moving car." Well, what about, "It's like changing the engine on a plane flying 600 MPH,"? That's essentially what Boeing is doing as it transforms its software development process while maintaining the rigorous level of security the company is known for. Wrap up SpringOne Platform with a lively interactive panel discussion on cloud-native security with one of America's most iconic companies.
When: 11:50 am - 12:20 pm
Speakers: Brad Schaefbauer, Platform Service Owner, Boeing Enterprise Cloud Services, Boeing; David Ibanez, Software Engineer, Boeing; Rob Monroe, Technical Product Manager, Boeing; and Chris Phillipson, Senior Platform Architect, Pivotal
Secure Your Spot at SpringOne Platform!
As you can see, SpringOne Platform has cloud-native security covered. If you haven't registered yet, there's still time to secure your spot! Register today with discount code S1P200_JKelly and get $200 off the registration fee. See you in D.C.!