Gone are the days when application security was an afterthought, tacked on at the end of the development process. In a world of cloud-native microservices and continuous delivery, security pros need to reconsider the role and the place of security in the software development lifecycle. It’s going to require fresh thinking, fresh approaches, and fresh tools.

The process of modernizing security for cloud-native software is already underway and is well represented at this year’s SpringOne Platform 2018, which takes place September 24 to 28 in Washington, D.C. SpringOne is the premier cloud-native software event, with thousands of developers, platform operators, CIOs, and, yes, security pros gathering to collaborate, share knowledge, and create transformational software.

There are no fewer than a baker’s dozen security-focused sessions at this year’s event, indicative of just how important security is to enterprises adopting modern software development. As you make out your agenda for the show, refer this handy guide to security at SpringOne Platform. And remember, stay safe out there!

Day 1: Tuesday, September 25

Securing Spring Functions By Breaking In

Did you hear something? I think there’s a burglar trying to break into our Spring Functions! Oh wait, it’s just Snyk CEO Guy Podjarny. In this session, Podjarny explores the challenges and offers solutions to securing Spring Functions by exploiting their vulnerabilities live on stage. He’ll explain what led to the vulnerabilities in the first place and  show how you can avoid making the same mistakes yourself.

When: 2:40 to 3:10 pm

Speaker: Guy Podjarny, CEO, Snyk

 

MongoDB + CredHub = Secure By Default Data Services on PCF

Cloud-native data is getting a lot of attention recently, as well it should. Managing and using data in cloud-native environments such as Pivotal Cloud Foundry requires new ways of thinking, particularly when it comes to data security. In this session, MongoDB Senior Consulting Engineer Diana Esteves illustrates how developers can use CredHub to quickly and easily store MongoDB secrets, including passwords and other credentials, all running on PCF.

When: 3:20 to 3:50 pm

Speaker: Diana Esteves, Senior Consulting Engineer, MongoDB

 

Building Secure Image Pipelines with PKS & Harbor

Developers rely on automated delivery pipelines to build and ship software users love at the speed they require. But what about security? How can teams secure image pipelines with the same speed and efficiency? In this session, VMware’s Merlin Glynn, Product Line Manager for vSphere Integrated Containers, and Thomas Kraus, Senior Architect for the VMware Cloud Native Apps BU, show how development teams can use Pivotal Container Service, Harbor, and Concourse to secure delivery pipelines.

When: 5:00 to 5:30

Speakers: Merlin Glynn, Product Line Manager, vSphere Integrated Containers, VMware

Thomas Kraus, Sr. Architect VMware Cloud Native Apps BU, VMware

 

Securing Microservices in Hybrid Cloud

We all know that two-factor authentication is a great way to make access online consumer services more secure. Turns out, it’s also effective for securing access to applications and services running on Cloud Foundry. In this session, T-Mobile’s Komes Subramaniam, Principal Software Engineer, and Senthil Velusamy, Sennior Director of MTS Domain Architecture, introduce attendees to the T-Mobile Authentication and Authorization Process, or TAAP, which the mobile carrier designed to address several limitations and security issues with previous approaches to two-way SSL.

When: 5:40 to 6:10 pm

Speakers: Komes Subramaniam, Principal Software Engineer, T-Mobile and Senthil Velusamy, Senior MTS Domain Architecture, Director, T-Mobile

 

Day 2: Wednesday, September 26

Microservices Security Patterns & Protocols with Spring & PCF

Everyone wants secure applications, but securing applications can be challenging. The challenge gets tougher still when it comes to applications made up of many individual microservices, each with their own security vulnerabilities to consider. So the easier it is to build security into your microservices upfront, the better. In this session, Pivotal Platform Architect Adib Saikali explores how standards such as JWT, JWA, OAuth2, OpenId Connect and others can be combined to make writing secure microservices easy-peasy.

When: 11:30 am to 12:40 pm

Speakers:  Adib Saikalim, Platform Architect, Pivotal

 

Securing Pivotal Cloud Foundry by Regularly Rebuilding

Why patch servers when you can rebuild servers in less time, with greater consistency, avoiding human error, without customer downtime, and be home in time for lunch? You don’t! Lance Rochelle, Product Manager at Wells Fargo, discusses how the bank’s platform team regularly rebuilds servers running PCF and the related benefits to security and compliance.

When: 12:10 to 12:30 pm

Speaker: Lance Rochelle, Product Manager at Wells Fargo

 

Innovating Faster with Continuous Application Security

If you’re continuously integrating and deploying software, shouldn’t you approach security the same way? The answer is yes, but for many organizations application security is still a time-consuming, manual process. This often leads to bottlenecks in the the software development lifecycle and the introduction of CVEs by well-meaning developers. In this, Contrast Security Co-Founder and CTO Jeff Williams discusses the concept of continuous application security and steps you can take to get there.

When: 2:00 to 2:30

Speaker: Jeff Williams, Co-Founder and CTO, Contrast Security

 

Reactive Spring Security 5.1 by Example

Reactive programming is a great, declarative approach to building applications and is particularly well-suited to applications that need to quickly react (get it?) to asynchronous data streams. But how do you effectively secure reactive applications? In this how-to session, Rob Winch, Spring Security Project Lead at Pivotal, walks you step by step through the process using Reactive Spring, highlighting new features in Spring Security 5.1, and answering your frequently asked questions.

When: 2:00 to 3:10 pm

Speaker: Rob Winch, Spring Security Project Lead, Pivotal

 

DevSecOps: Security at the Speed of DevOps

Security in a DevOps world requires a change of thinking. Specifically, security professionals need to stop thinking of themselves as gatekeepers that application developers must navigate to get their software into production and start thinking of themselves as self-service toolsmiths and coaches, argues Comcast’s Larry Maccherone. In this session, Maccherone, DevSecOps Transformation Lead at company, illustrates how this approach works in practice at Comcast and how it can be applied at your enterprise.

When: 3:20 to 3:50 pm

Speaker: Larry Maccherone, DevSecOps Transformation Lead, Comcast

 

Demystifying SAML Using Spring Security

You’ve probably heard of the Security Assertion Markup Language, or SAML, one of the most popular federated identity management standards out there. But how well do you understand it? The open security standard that enables credential sharing across multiple computers on a network can be a bit mystifying. In this session, Pivotal Senior Staff Engineer Filip Hanik and Product Manager Sree Tummidi break it all down, providing an overview of SAML and show how to build a SAML service provider using the latest versions of Spring Security and Spring Boot.

When: 4:20 to 5:30

Speakers: Filip Hanik, Senior Staff Engineer, Pivotal and Sree Tummidi, Product Manager, Pivotal

 

CredHub and Secure Credential Management

Hey … want to know a secret? Yea? So does everybody else. That’s why it’s critical to safely and securely store platform and application secrets, such as passwords and other credentials, using a air tight secrets management tool such as CredHub. This session with Pivotal Platform Architect Peter Blum and Software Developer Scott Frederick looks at how to enhance security within Cloud Foundry and applications running on the platform with CredHub.

When: 5:00 to 5:30

Speakers: Peter Blum, Platform Architect, Pivotal and Scott Frederick, Software Developer, Pivotal

 

Security in the Hybrid Cloud at Liberty Mutual

How do you provide comprehensive security for legacy software and new, modern applications running in a variety of environments, including on-premises and in the public cloud? Liberty Mutual Security Architect Matt Ruel provides an overview of the insurance giant’s approach to hybrid cloud security with PCF.

When: 5:00 to 5:30 pm  

Speaker: Matt Ruel, Security Architect, Liberty Mutual

 

Developer Secure Containers for the Cyberspace Battlefield

The Department of Defense is a ripe target for bad actors, state-sponsored or otherwise. But the agency also needs to develop cutting-edge applications to meet its mission requirements. How does the DoD innovate while staying secure? The answer is Pivotal Container Service. In this session, Pivotal Senior Platform Architect Chris Saunders and VMware NSX Staff Systems Engineer Jason Scanga cover strategies for securing applications running on PKS at the DoD.

When: 5:40 to 6:10 pm

Speakers: Chris Saunders, Senior Platform Architect, Pivotal  and Jason Scanga, NSX Staff Systems Engineer, VMware

About the Author

Jeff Kelly is a Director of Partner Marketing at Pivotal Software. Prior to joining Pivotal, Jeff was the lead industry analyst covering Big Data analytics at Wikibon. Before that, Jeff covered enterprise software as a reporter and editor at TechTarget. He received his B.A. in American studies from Providence College and his M.A. in journalism from Northeastern University.

Follow on Twitter Follow on Linkedin