►
Description
Speaker: Sven Ruppert
With convenience on the developer side, based on dependencies, abstraction layers and the composition of technologies we are getting up speed in our production pipeline. But at the same time, it’s Pandora’s box in terms of security too. How can you close this gap and eliminate the weaknesses? I’ll show you how to start with free tools to protect your stack against known security vulnerabilities, increase productivity while working fast efficient and comfortable and why quality based on an excellent test-coverage will be your safety belt.
A
B
Okay,
hello,
hello
from
my
side
as
well
here
from
cold
germany,
so
I
I
was
reading
already
a
few
from
greece
and
mexico
and
hi
it's
definitely
warmer
and
better
weather
than
here.
So
what
we
are
talking
today
is
a
little
bit
about
polyglot
security
rules
and
during
this
talk,
if
you
have
any
questions,
feel
free
to
use
the
chat
feel
free
to
use
this
q
a
window
from
zoom.
B
I
will
try
to
have
an
eye
on
this
one.
So
if
there
is
anything
I
see
and
at
the
right
time
I
will
give
an
answer.
Otherwise
I
will
do
this
q
and
a
in
the
end
of
this
session,
but
if
there's
anything,
just
yeah
feel
free
to
ask.
Why
is
the
chat
and
then
I
try
to
give
an
answer
during
the
talk
or
immediately
in
time.
If
I
see
it
so
now,
one
of
the
most
critical
things
I
will
start
sharing
my
screen.
B
B
So
let
me
see,
I
have
my
chat
back
and
now
I'm
ready
to
go.
So
if
there's
any
question,
let
me
know
if
you
have
any
comments,
feel
free
and
now
we
will
start
so
polyglot
look
note
is
a
complicated
word,
but
what
we
want
to
talk
about
say.
First
of
all,
my
name
is
van.
If
you
want
to
reach
me
well
over
the
internet.
B
Take
take
twitter.
Take
link
in
you
can
see
me
on
on
youtube
by
the
way.
This
background
you
see
here
from
me
was
also
screen.
Sharing
it's
just
taken
from
one
of
my
outdoor
trips,
I'm
recording
it
related
stuff
in
the
woods.
So
if
you're
interested
in
this
one
have
a
look
on
my
youtube
channel,
I'm
there
in
german
and
in
english
feel
free
so
and
jfrog
what
we
are
doing
with
straightforward.
B
We
are
talking
about
devops
and
explicitly
about
devsecops,
and
this
is
what
I'm
doing
as
developer
advocate
at
jayprock
say
I'm
focusing
on
the
security
part,
and
this
is
where
we
want
to
go
today,
so
by
the
way,
slides
and
all
this
stuff
and
the
raffle.
If
you
want
to
win
something
here,
it's
oh,
it's
an
amazon,
accurate,
show,
five
go
to
this
bitly
link
and
then
you
have
the
chance
to
win
one.
I
don't
know.
B
I
think
two
business
days
three
business
days,
something
like
this
and
we
will
announce
a
winner
so
feel
free.
If
you
want
to
have
this
later
on.
Just
let
me
know
I
will
copy
paste
it
in
the
slack
later
in
the
chat
here.
So
okay
cloud
native,
the
big
word
and.
B
To
go
in
all
these
details,
but
cloud
native
is
perfect
to
show
a
few
things,
but
even
if
you're,
working
with
monoliths
or
serverless
or
whatever,
more
or
less
the
principles
I'm
talking
about
is
the
same.
So
this
is
yeah.
This
is
one
thing
that
you
should
have
in
mind:
don't
fix
too
much
on
on
this
cloud
native
stick
here.
It's
just
one
thing,
but
we
have
this
service
oriented
and
api
communication.
B
These
are
quite
generic
things,
and
so,
if
you're
thinking
about
splitting
up,
for
example,
some
some
some
services
to
microservices,
then
a
machine
is
not
really
good
in
helping
you
in.
If
you
want
to
decide.
This
is
a
use
case
for
this
microservices
use
case
for
another
microsoft.
So
here
the
human
has
to
decide
and
have
to
split
up
and
all
this
stuff
the
same
with
the
api
communication.
B
But
on
the
other
side,
you
have
these
generic
things
that
are
in
these
layers
and
if
you
are
going
to
this
container-based
infrastructure
to
this
def
segments
part,
then
you
see
that
more
and
more
the
tools
can
help
you
with
certain
things
and
here
what
we
wanted
to
reach
was
with
splitting
up
the
micro
service
sure
we
want
to
have
this
short
release
cycles.
We
want
to
rewrite
instead
of
maintaining
old
stuff-
and
this
is
it's
fine.
It's
nice!
We
as
a
developer.
B
B
I
would
learn
it
maybe
first
or
not,
but
I
would
do
all
the
mistakes
that
junior
would
do
more
or
less
in
the
same
way,
maybe
in
a
shorter
time,
but
I'm
not
seeing
anymore,
and
this
is
something
that
is
tricky,
so
new
technologies
here,
fancy
you
like
it,
but
on
the
other
side
you
have
to
make
sure
that
these
new
technologies
are
not
bringing
a
huge
stuff
in.
So
you
have
new
tools,
you
have
new
best
practices
with
the
language
and
so
on
and
so
on
and
by
default.
B
If
you
are
talking
about
the
cloud
natives
or
in
in
general,
about
that
microservices,
zoo
or
serverless
or
whatever,
if
you're
splitting
up,
then
we
are
more
or
less
just
increasing
the
amount
of
technologies
and
per
definition.
We
are
talking
about
polyglot
systems,
so
different
technologies
in
one
thing
and
the
amount
of
different
technology
is
increasing
and
well.
This
is
something
you
should
have
in
mind,
but
splitting
all
this
stuff
away,
so
just
focusing
on
one
single
application,
called
it
one
or
let's
call
it
microservice
call
it
serverless.
B
I
I
just
okay,
we
have
more
or
less
always
the
same
stack
here
and
here
again
we
have
two
dimensions.
I
want
to
to
look
at
so
first
of
all,
we
are
writing
an
application,
and
this
application
is
what
we're
coding
and
we
have
some
use
cases,
and
we
are
doing
all
this
stuff
after
this
we're
introducing
the
next
layer,
it's
operating
system
layer,
for
example,
linux,
and
then
we
are
wrapping
it
in
docker.
We
are
composing
it
in
kubernetes
universe.
So
all
this
stuff
is
more
or
less
layer
by
layer
by
layer.
B
We
are
increasing
the
complexity
somehow
because
we're
adding
new
technologies
and
they
all
have
to
fit
together.
But
one
thing
is
for
sure:
if
you're
adding
some
vulnerabilities
in
the
first
layer,
for
example
inside
the
application
layer,
then
it
will
be
existing
over
all
other
layers
and
the
same
with
compliance
issues.
So
if
I
have
the
wrong
license
at
the
right
place
in
inside
the
project,
I
will
have
a
challenge
because
it
can
just
kill
my
business.
B
So
what
we
are
thinking
about
this
one,
what
we
have
to
do
here,
but
there's
one
thing:
even
here
we
have
some
parts
we
have
in
all
layers,
there's
more
technical
part,
and
we
have
this
more
domain
specific
part.
So
inside
the
domain,
specific
part
talking
about
security
is
more
or
less
talking
about
the
semantics
talking
about
the
processes
or
security
per
concept
and
all
this
stuff.
B
But
if
you
are
talking
about
the
technical
things-
and
here
is
where
the
tools
are
way
better
than
in
the
domain
specific
area
is
that
they
can
help
you
scanning
for
vulnerabilities
and
all
this
stuff.
So
here
again
on
all
layers,
we
are
adding
technologies,
but
we
have
a
pure
technical
side.
We
have
a
domain
specific
side
and
the
most
people.
What
they
forget
in
all
of
this
is
we
are
talking
about
the
whole
tool
chain
as
well,
so
insert
this
depth
circles.
B
But
this
interesting
thing
in
the
cloud
native
we
are
talking
especially
about
deaf
cyclops,
not
devops
anymore,
means
that
we
have
the
whole
two
things.
This
is
part
of
the
whole
production
line
as
well,
and
here
we
have
to
think
about
the
term
security,
but
I
want
to
talk
about
some
polyglot
stuff.
B
So
what
I'm
explicitly
excluding
here
this
part
is
a
concept
phase,
so
I'm
not
talking
about
how
to
make
a
strong
concept
in
terms
of
use
cases
and
all
this
stuff.
So
I'm
just
focusing
right
now
on
the
technical
part
and
yeah
that's.
That
is
one
thing
that
you
should
have
in
mind.
Security
starts
early
in
the
contra
phase,
not
just
during
the
coding
phase,
so
even
in
the
conservation
you
have
to
think
about
the
term
security,
but
I'm
excluding
it
here,
because
this
is
a
too
broad
scope
for
now.
B
So,
let's
see
one
thing
I
often
hearing-
and
it
took
some
time
to
remember-
something
is,
for
example,
shift
left.
If
you
want
to
learn
more
about
this
topic,
search
for
the
terms
shift
left
and
what
shift
left
means
is,
if
you're,
just
rotating
this
picture
by
90
degree
and
you're,
starting
from
left
and
reading
to
right,
then
it's
that
the
earliest
point
is
writing
an
application
before
you're
wrapping
it
in
the
operating
system
before
you're,
using
docker
and
so
on.
So
shift
left
means
dealing
with
the
security
turn
as
early
as
possible.
B
And
for
this
talk
we
are
stopping
with
the
left
concept
at
the
application.
We
are
not
going
to
the
concept
phase,
but
even
this
would
be
more
left.
So
what
does
it
mean?
Shift
left
means
that
we
have
to
think
about
all
this
vulnerability
and
compliance
issues
as
early
as
possible,
and
there
is
no
dedicated
phase
where
we
have
now
security
scans
and
then
everything
is
done.
But
well.
B
B
It
could
be
a
customer
application,
whatever,
let's
think
about
how
to
write
this
web
ui
and
if
you're
a
cool
java
developer,
then
all
this
web
ui
stuff
is
far
away,
so
you
want
to
have
java,
and-
and
this
is
where
you
are-
and
then
you
have
the
different
technologies,
for
example,
here
this
html5
css
and
javascript,
because
we
are
talking
about,
for
example,
web
components
on
the
graphical
user,
insights
or
on
the
website,
and
these
are
two
different
things,
but
what
what
will
happen
here
as
a
java
developer?
B
Let's,
let's
have
this
one.
So
we
have
this
web
components
on
one
side.
We
have
the
java
side
where
we
want
to
be
so
where
we
are
normally
in,
and
then
we
have
this
kind
of
communication.
In
between
for
communication,
you
will
find,
for
example,
java
as
well,
so
you
know
you're
happy
with
this
one,
but
how
to
deal
with
this
now.
So
here's
an
example
just
to
show
how
technology
is
hidden.
I'm
using
vadim
vadim
is
an
open
source
framework.
B
I
don't
want
to
go
in
all
details
here
about
this
one,
because
we
want
to
focus
on
the
security,
but
but
if
you're
checking,
what
they
have
done
is,
for
example,
they
they
started
mapping
these
different
technologies
together
because
they
want
to
have
this
convenience
as
a
java
developer
and
will
give
you
some
other
technology,
some
other
layers
somewhere
and
here,
for
example,
if
you're
dealing
with
a
pure
npm
stack,
you
would
have
three
three
things.
You
have
this
npm
install
to
grab
web
components
so
that
you
have
it
in
your
local
repository.
B
Okay,
it's
in
package
manager
and
you're
declaring
something
like
take
these
components
with
this
version,
and
then
it's
grabbing
from
external
repository,
storing
on
your
local
hard
disk
and
temporary
forwarder,
or
something
like
an
m2
m.2.m2
like
it's
done
with
maven,
and
if
you
want
to
make
this
one
on
the
java
side,
for
example,
with
this
volume
framework
you
you
would
have
something
like
an
annotation
and
for
you,
as
a
java
developer,
this
convenient
you
have
just
an
annotation
npm
package
on
the
class,
and
you
have
this
value.
B
It's
it's
exactly
what
you
would
use
with
the
npm
section,
or
this
coordinates
or
these
components
and
you
have
the
version.
So
this
is
fine.
On
the
other
side,
you
would
need
now
something
like
an
import
statement.
It's
the
same
like
on
java,
so
you
have
an
import
statement
of
a
clause
so
that
you
can
use
it
and
on
html5.
Patriot
really
is
the
same.
You
have
an
import
and
then
you
are
explicitly
addressing
one
class
of
one
component
and
you
would
find
hey.
B
I
have
a
java
component
java
annotation
here
and
it's
exactly
the
same.
So
if
I
want
to
have
a
badge,
then
I'm
I'm
just
taking
this
annotation
and
writing
the
coordinates
from
this
web
component
in
and
then
it's
somewhere
here
how
to
use
this
one,
how
to
map
it
to
the
javascript.
If
you
are
inside
the
web
application,
you
would
take
this
tag.
For
example,
you
are
five
months
back
and
to
map
it
to
the
java
site.
You
would
have
a
tag
like
ui,
five
minus
batch.
B
At
this
annotation
level,
you
are
purely
on
the
java
side,
and
if
one
of
your
colleagues
would
do
this,
one
would
say:
okay,
we
have
to
code
now
all
these
web
web
uis,
but
we
want
to
have
it
as
a
java
developer.
One
of
your
colleagues
would
exactly
do
this
one
with
what
components
you
need-
and
this
is
another
thing
you
can
do
it
with
every
web
component
if
you're
using
this
button
stick.
So
this
is
an
example.
How
I
map
the
url
five
components,
for
example,
then
it
would
have
a
class
extends
component.
B
Okay,
and
then
you
have
these
three
annotations.
What
have
you
done
now?
We
we
met
not
only
technologies
in
different
binaries.
We
met
already
life
cycles.
So
with
these
three
annotations
at
this
java
clause,
if
I'm
somehow
creating
this
instance,
I
would
have
an
npm
install.
I
would
have
an
import
and
I'm
declaring
attack.
B
Let's
see
you
want
to
start
building
some
attributes
here.
It's
quite
easy.
You
can
map
it
on
the
java
site,
as
well,
so
with
elements
and
property
and
you're
setting
some
stuff.
So
even
this,
if,
if
you're
a
java
developer,
you
can
do
this,
one
quite
easy:
have
you
understood
the
whole
npm
stack
so
far?
No
I'm
not
sure
you're,
just
reading
some
documentation
and
see
okay,
there's
an
attributes
called
color
scheme
and
then
you're
reading
in
the
api
documentation.
B
Okay,
you
have
something
like
get
element
set
property,
okay,
this
matches,
and
then
you
start
mapping
all
this
stuff.
I
mean
this
is
great,
it's
very,
very
convenient
and
if
you
think
about
how
to
get
something
out,
the
next
thing
is:
okay,
I'm
not
not
only
possible
to
set
an
attribute.
I
can
grab
stuff
out
what
happened
now
from
the
browser
will
be
something
encoded
will
be
sent
over.
The
wire
into
your
system
will
be
converted
somehow
to
some
java
representative
thing
instance,
whatever
it
is
and
you're
accessing
it
wow
this
is
fame.
B
This
is
really
good,
so
the
convenience
factor
is
enormous
because
you
can
just
start
coding
java.
Even
if
you
start
thinking
about
okay,
I
don't
want
to
have
attributes.
I
want
to
have
a
tree
because
I'm
in
the
java-
but
now
you
start
thinking
about
how
to
how
to
map
all
this
stuff,
and
then
you
think,
okay,
if,
if
I
have
a
component
and
there's
a
complex
child
in
that,
I'm
doing
it
exactly
with
the
child
as
well.
So
here
you
see
okay,
there's
an
url,
five
icon,
and
then
you
start
again.
B
B
So
we
are
now
able
to
to
code
on
the
javascript.
A
quite
complex
thing
and
you'll
have
different
components.
You
have
a
huge
amount
of
communication.
You
have
a
huge
amount
of
technology
stacks
in
and
in
the
end,
if
you're
mapping,
this
one
one
one
person
in
your
team
and
we'll
make
a
jar
out
of
it
and
we'll
give
it
to
you,
you
as
a
developer,
would
just
see
new
ui5
edge,
set,
icon,
set
text
and
add
action
listener
whatever,
and
you
would
get
some
generators
on
the
screen
say
what
happened
here.
B
Is
it's
easy
to
map
this
technology?
You
have
a
huge
life
cycle
in
the
background
and
if
you're
checking
here's
a
dependency
tree,
it's
a
nightmare.
You
have
not
only
one
technology,
you
have
now
two
technologies.
You
have
two
package
managers
in
the
background
you're
dealing
here,
even
if
you're
not
seeing
it
with
different
technologies
in
a
level
at
a
level
that
is
well
well
hidden,
so
you
have
to
search
for
all
these
traps
way
or
just
combining
technologies
like
this.
B
On
the
other
side,
I'm
assuming
that
this
trend
will
be
coming
more
and
more
because
if
you
want
to
have
more
complex
things,
if
you
want
to
have
more
generic
things
on
the
on
the
inside,
but
more
easier
ways
to
to
formulate
your
use
cases
and
all
this
stuff,
you
need
this
convenience
to
have
the
right
speed
to
to
have
this
use
case
fast
enough
on
the
market.
So
we
are
talking
about
time
to
market
and
so
there's
a
requirement.
It
must
be
pushed
to
production
as
soon
as
possible.
B
So
we
will
have
this
one,
and
this
is
just
a
layer
inside
the
application.
You
will
have
the
same
on
the
operating
system
or
inside
docker
inside
kubernetes,
and
this
is
something
that
is
more
and
more
coming,
and
this
means
we
need
more
aware
of
it
and
we
need
tools
that
help
me
to
identify
what's
going
on
here
by
the
way.
If
you
want
to
have
a
look
at
this
you're,
a
java
developer,
you
have
to
do
what
web
components
you
want
to.
Try
it
out.
B
I
have
this
one
on
github
and
then
you
can
just
try
it
out.
It's
it's
a
good
running
proof
of
concept.
I
use
it
for
some
some
small
projects,
it's
open
source
apache,
license
grab
it,
try
it
and
if
you
have
some
feedback,
let
me
know
I'm
more
than
happy
to
to
see
it.
What
we
what
we
have
now
we
have
now
the
following:
we
have
now
an
application
and
instead
of
playing
with
one
package
manager,
we
are
playing
indirectly
with
two
package
managers
with
all
the
life
cycles
with
all
the
dependencies.
B
We
are
all
grabbing
these
binaries
and
now
we
need
something
that
will
help
us
to
identify
the
whole
stack,
not
only
the
java
site.
It
would
be
a
disaster
if
you're
just
checking
vulnerabilities
on
the
javascript.
We
have
to
check
it
on
the
npm
side
now
as
well,
and
this
as
early
as
possible.
I
have
on
youtube
a
few
examples.
So
how
to
do
this?
B
One,
I'm
explaining
it
here
in
a
few
words,
but
if
you
want
to
have
the
long
version
go
to
youtube
and
check
it
out,
for
example,
how
to
harden
this
body
framework
with
the
stuff
I'm
showing
here
right
now.
So
next
is
thinking
about
this
convenience.
Part
and
thinking
about
that
we
are
just
using
what
means
just
we
are
using
open
source.
I
I
really
love
open
source
because
we
have
the
possibility
to
check.
B
We
have
supported
visibility
to
to
analyze,
to
fix,
bugs
and
all
this
stuff,
but
if
you're
looking
how
much
of
this
open
source
stuff,
we
have
in
it's
quite
a
huge
thing.
So
half
maybe
16,
maybe
40.
I
don't
want
to
be
so
strict
with
a
percentage,
but
it
will
be
a
bigger
party,
and
that
means
we
are
grabbing
something
because
we
don't
want
to
reinvent
the
wheel.
B
But
we
have
two
different
things.
I
mentioned
compliance
issues
and
I
mentioned
vulnerabilities
and
one
thing
is
even
in
the
polyglot
system.
You
have
this
in
direction
to
other
technologies
means
you
have
to
have
an
eye
on
compliance
as
well
of
the
whole
stack,
but
the
good
thing
with
compliance
issues
is
in
the
beginning.
You
need
a
lawyer,
that's
defining.
This
is
a
good
license
for
your
project
and
there's
a
bad
license
for
your
project
whatever.
B
If
this
is
done
once,
then
the
machine
can
do
it
constantly,
and
if
you
have
a
compliance
issue
somewhere,
then
it's
just
this
tiny
thing.
So
you
have
this
library,
you
have
to
grab
it
out
and
you
have
to
find
a
semantic
equal
solution
running
under
different
license.
So
the
the
process
is
quite
clear.
The
machine
must
be
yeah
must
must
initialize
must
be
initialized
with
the
information.
What's
a
good
license
for
the
battery
license.
B
So
you
need
something
that
will
give
you
the
full
impact
graph,
so
it
makes
no
sense
just
to
focus
on
one
layer
or
one
technology.
You
need
the
whole
text
stack
everything
from
the
application
up
to
a
health
child
everything
even
the
tooling
itself,
but
what?
What
is
the
lifetime
of
vulnerability
and
what's
a
critical
part
and
where
we
can
jump
in
with
this?
B
If
there
is
a
vulnerability
and
it's
created
by
accident,
or
someone
want
to
have
this
vulnerability
in
somewhere,
we
have
no
way
to
influence
this
one.
So
someone
will
create
some
vulnerability.
Some
vulnerability
will
be
somewhere,
and
then
we
have
this
time
until
this
is
found.
Do
we
have
any
chance
to
to
influence
this?
One
or
two
to
make
this
faster,
shorter,
whatever
yeah,
if
you're
a
security
researcher,
we
can
work
on
this
topic,
but
I
assume
that
most
of
us
are
not
security
researchers,
so
we
have
just
wait.
B
B
I
will
give
this
information
to
them,
and
sometimes
they
decide.
Okay,
we'll
wait
until
two
weeks
before
we
are
making
the
public
so
that
you
can
create
a
patch
and
all
this
stuff,
and
can
we
influence
this
time
frame
now,
if
you're
not
directly
yeah
affected,
because
we
are
the
person,
that's
contacted,
we
have
no
choice
or
no
no
possibility
to
to
to
make
this
shorter.
B
B
If
you
like
it
or
not,
I
what
whatever
I
don't
want
to
say
it's
good,
it's
bad,
it's
whatever!
I
just
mentioning
that,
mostly
the
commercial
vulnerability.
Databases
are
faster
and
have
more
information
as
a
free
one.
Maybe
the
free
one
will
have
the
same,
but
maybe
later
so.
What
can
we
do
here?
We
can
wait
until
this
information
is
consumable
for
us
if
you're
spending,
money
for
service
or,
if
you're,
just
waiting
whatever
you're
choosing
at
some
point,
this
information
will
be
available
for
you,
so
it's
now
consumable
you're,
not
even
just
know
it.
B
It's
not
consumable
until
this
time
is
that
this
information
is
consumable
for
you.
The
timer
is
starting.
So
now
that
the
clock
is
running,
you
would
say
insurance.
So
now
you
must
be
fast.
So
if
you
have
a
good,
cr
environment,
everything
is
automated
perfect.
Now
you
can
start
thinking
about
okay.
I
know
there
is
a
vulnerability
I
have
to
change
somewhere
in
my
stack
and
it
must
run
in
production
so
time
to
market.
B
We
are
talking
about
exactly
the
same
time
to
market,
so
there
is
a
need
and
we
have
to
push
it
as
fast
as
possible
to
production
so,
and
this
is
the
only
time
we
completely
have
under
control-
and
mostly
this
is
a
quite
long
time
so
for
a
lot
of
projects.
Even
this,
there
is
a
vulnerability
until
it's
running
production.
We
are
talking
sometimes
about
weeks
or
months
or
even
longer.
So
it's
it's
a
disaster.
B
We're
not
checking
the
whole
system,
application
layer,
for
example,
and
the
difference
between
make
and
buy
makers.
You're.
Writing
it
by
yourself
bias,
you're,
adding
a
dependency.
You
will
see
that
insults
application.
You
will
have
at
least
some
some
part
of
make,
because
this
is
the
biggest
part,
mostly
because
you're
writing
all
this
stuff,
but
even
the
bypass.
So
this
I
have
a
lot
of
dependencies
is
a
quite
big
one.
B
If
you
are
going
to
the
operating
system,
mostly
I'm
just
adding
some
configuration
and
the
rest
of
this
operation
system
is
a
dependency
and
the
same
with
docker.
The
first
statement
is
from
so
it's
it's
just
a
dependency
and
then
we're
adding
some
stuff
and
the
same
with
kubernetes
and
so
on,
and
so
on,
and
the
whole
tool
stack.
B
For
example,
if
you're
compiling
your
jvm
and
all
this
stuff,
it's
a
dependency
model,
so
we
are
grabbing
a
huge
potion
to
our
tech
stack,
and
this
is
a
binary
that's
coming
from
outside,
and
this
is
why
I'm
saying
mostly,
if
you
want
to
start
with
the
security
part
focus
on
the
binaries,
the
external
dependencies,
because
this
is
the
biggest
part
in
your
whole
text-
act.
Whatever
text
that
you're
looking
at
mostly
this
is
the
biggest
part.
B
So,
if
you're
focusing
on
scanning
this
one
and
making
different
clean
against
non
vulnerabilities
and
compliance
issues,
you
have
the
low-hanging
fruit,
the
quick
wins
done,
then
you
can
start
analyzing
your
code
with
ai
or
whatever,
but
having
the
dependencies
under
control
is
a
key
point
if
you
want
to
start
with
security.
So
what
is
helping
you?
B
You
have
this
vulnerability
and
compliance
issues
and
those
will
push
you
to
some
change
in
your
code
and,
if
you're
changing
something
well,
the
best
you
could
have
is
a
perfect
test
coverage.
So
if
you
have
a
really
strong
test
coverage,
then
you
can
start
shifting
versions
around
that's
a
test
suite
run
and
be
sure
that
you
can
push
it
to
production
because
you
have
the
same
behavior
of
your
application
and
I
personally
I'm
a
fan
of
mutation
testing
because
it's
way
stronger
than
pure
line
coverage,
whatever
fits
to
your
needs
and
decide.
B
What
is
the
strongest
line
coverage
you
have
or
how
to
make
this
test
coverage
as
strong
as
possible,
because
this
is
your
safety
belt,
because
the
first
line
or
the
first
thing
working
against
vulnerabilities
means
you
need
a
very
efficient
dependency
management,
because
a
very
efficient
dependency
management
will
have
the
biggest
impact
or
the
fastest
impact
of
the
biggest
part
of
your
project.
So
tdd
is
just
working
hand
in
hand
with
security.
That
means
quality
and
security
they're
just
going
in
the
same
direction,
and
this
is
perfect.
So
they
are
not
running
in
different
directions.
B
If
you're
not
thinking
about
okay,
we
have
different
dependencies,
we
have
different
technologies
and
even
inside
the
application.
I
have
different
technologies
because
we
are
talking
inside
an
application
about
polygonal
systems.
But
even
if
I
have
different
microsoft,
this
polyglot
system
is
is
even
bigger.
Even
more
components
and
technologies
are
running
around.
It
would
be
perfect
if
you
would
have
something
that
is
able
to
handle
all
these
dependencies.
B
All
these
different
dependency
managers
to
aggregate
all
binaries
in
one
logical
point
why
this
is
important,
because
if
you
have
all
binaries
all
this
logical
point
where
everything
is
running
together,
you
have
the
perfect
place
for
scanning
the
dependencies
so
scanning
against
compliance
and
vulnerability
issues,
and
this
is
what
we
are
delivering
here
with
artifactory
and
with
x-ray.
So
without
factory
here,
there's
dependency
management
inside
so
a
binary
repository,
and
you
can
have
your
maven
repository
your
debian
repository
and
everything
together.
B
And
if
you
have
this
your
artifactory
instance
as
a
getaway,
then
you
can
go
with
x-rays
as
a
binary
scanner.
Can
you
connect
and
analyze
against
compliance
and
vulnerabilities?
If
you
want
to
try
it
out,
we
have
a
freight
here.
I
will
share
the
url
finish
so
that
you
can
just
try
it
in
the
cloud,
but
it's
on
hybrid
environments
means
half
cloud
half
on
prem
or
completely
on
prem,
so
it
doesn't
depends.
But
you
need
this.
B
You
need
this
single
point
where
you
can
just
analyze
all
binaries
of
all
technologies
and
the
most
people-
and
this
is
one
thing-
the
most
people,
forgetting
just
the
tool
stick
itself,
so
they
have
all
dependencies
of
the
application,
but
they
are
not
scanning
their
binaries.
They
are
using
inside
the
protector
line,
and
even
this,
it's
just
a
dependency
you're
declaring
it.
You
need
to
place
the
stored.
B
Take
a
generic
repository.
Put
your
compiler
in
put
your
whatever
just
just
push
all
this
stuff
in
to
make
sure
that
it's
immutable,
so
that
you
can
reproduce
the
state
every
time
to
analyze
it
and
on
the
other
side
that
you
can
just
scan
your
binaries,
that's
it
and
even
a
compiler
can
have
a
wrong
license.
B
Okay,
we
have
different
ways
to
to
formulate
it.
So
if
you
have
an
auditing
system
or
you
have
some
compliance
rules
or
some
documentation,
that's
describing
all
the
stuff.
You
need
some
ways
to
to
describe.
What's
written
down
somewhere.
B
Excuse
me
and
on
the
other
side
you
need
something
that
is
mapping
to
this
technology,
and
here
we
have
this
concept
of
the
rules,
policies
and
watches.
I'm
not
explaining
everything
in
detail,
but
the
main
thing
is
you
have
this
rule.
That
is
an
independent,
stateless
definition.
If
I
find
something
wasn't
cvss
7.3
or
higher
than
breakabilt
center
web
book
sender,
mail,
whatever
so
different
things
you
can
do
and
that
is
independent
from
the
technology.
You
are
just
describing
what
should
happen
if
I'm.
B
If,
if
I
found
something,
then
you
have
this
policies
and
policies
as
a
composition
of
this
rules
under
logical
name,
and
it
would
be
if
you
have
a
document,
an
auditing
document,
a
security
dis
description
somewhere,
you
would
have
the
single
actions.
What
should
happen
inside
these
rules
and
then
every
chapter
would
be
a
policy.
And
then
you
can
have
even
a
one-to-one
mapping
between
your
documentation
and
requirements
to
what's
running
in
inside
x-ray,
and
then
you
want
to
have
this
technology
independent
description.
B
What
should
happen,
what
should
happen
and
you
map
it
against
repositories?
It's
called
watchers
so
then
you're
combining
these
policies
with
watches
with
maven
repositories,
docker
whatever,
so
it's
free
free
to
combine,
and
this
is
what
we
have
watches
policies
and
rules.
If
you
want
to
know
this
in
detail,
I
made
this
how
to's
and
then
you
can
really
see
how
to
create
it.
What
are
you
doing
all
this
stuff
or
just
check
out
for
them
in
on
our
side?
B
We,
then
you
can
get
this
one,
but
in
the
beginning,
during
the
beginning
we
spoke
about
shift
left.
What
does
it
mean?
What
does
shift
left
mean?
Shift
left
means
that
you
want
to
start
as
early
as
possible,
assume
the
following:
you're
starting
a
proof
of
concept:
you're
happy,
damn
yeah.
Finally,
I
I
can
start
coding
something
from
scratch.
I
can
choose
some
technologies
whatever
or
just
playing
around
with
some
stuff,
and
then
you
start
aggregating
technologies.
B
You're.
Writing
your
proof
of
concept
and
after
the
first
day,
you're
committing
the
first
things
and
you're
pushing
it
and
oh,
you
have
to
create
this
pipeline
and
then
you
are
creating
the
pipeline
inside
your
ci
environment,
the
ci
environment
will
start
working
and
then
at
some
point
it
will
say:
oh
that's
the
pencil
you're
using
sorry,
but
too
many
vulnerabilities
in
or
wrong
license,
there's
a
transitive
dependency,
and
this
is
just
not
possible
here
in
this
project.
B
The
maintain
of
this
project
was
not
good
enough
in
checking,
if
there's
one
or
maintaining
a
such
one.
What
have
you
done?
You
just
wasted
a
huge
amount
of
time,
and
this
is
a
huge
amount
of
money
and
we
don't
like
to
face
money
because
we
have
to
explain
it
somehow.
So
we
have
to
remove
this
time
or
we
have
to
shorten
this
time
as
much
as
possible
so
having
all
this
stuff
inside
ccr
environment,
it's
perfect,
but
it's
not
the
earliest
point.
B
You
need
this
information
earlier,
and
one
early
stage
is
having
this
information
inside
your
ide,
and
that
means,
if
you're
working
with
java,
for
example
and
you're
dealing
with
this
dependency
management
system.
The
first
thing
before
you're
doing
something
is:
firstly,
you
are
declaring
some
kind
of
dependency.
Oh,
I
want
to
have
j
unit
5.,
or
I
want
to
have
this
library,
this
pdf
library
or
this
algorithm,
whatever
so
you're
declaring
this
one
inside
the
pom,
xml
or
gradle,
or
whatever
you
use
and.
B
At
this
point,
you're
declaring
the
coordinates
of
the
binary
and
the
version,
and
at
this
point
the
ide
plugin
that
we
are
offering
for
x-ray
will
grab
this
version
information.
This
is
coordinates
and
also
vulnerability
database,
if
there's
anything
that
we
should
know
any
vulnerability
or
any
compliance
issue,
and
this
for
all
transitive
dependencies
as
well.
So
if
you're
adding
a
dependency,
not
only
this
one
is
important
one,
but
you
need
all
transitive
dependencies,
and
this
is
the
id
you
plug
in
doing
so.
B
You
can
just
install
this
id
plug
in
it's
open
source
is
free,
so
even
with
the
free
tier
you
can
connect
with
the
ide
plugin
into
your
feed
here
and
in
the
free
tier.
You
have
a
slightly
limited
version
of
x-ray
that
you
can
scan
or
use
to
scan
against
non-vulnerabilities
so
inside
here
we
have
it
for
intellij,
a
code
eclipse
whatever
but
feel
free,
so
try
it.
And
then
you
will
get
immediately
this
information
and
here's
a
screen
screenshot,
it's
just
showing
a
little
bit.
There's
a
tree.
B
You
will
get
this
tree
of
all
the
pencils,
so
you
see
the
whole
hierarchy
and
then
you
can
start
searching
for
stuff.
You
don't
want
to
have,
and
then
you
start
replacing
this
dependencies
and
again.
If
you
have
good
test
coverage,
it's
exactly
what
you
need
so
and
how
to
do
this
one.
I
have
there
this
whole
process
how
to
how
to
exclude
it,
how
to
add
a
new
dependency
and
do
this
until
everything
is
fine.
B
I
have
a
youtube
video
to
in
this
j4
cartoons,
where
I'm
explicit,
showing
this
process
and
how
to
install
the
plugin,
but
mostly
searching
for
the
plugin
and
store.
So
this
is
one
thing
so
inside
the
ide.
You
will
have
note
the
whole
information
about
the
text
deck
back
to
the
polyglot
topic.
B
If
we
have
now
this
dependency,
my
colleague
mapped
all
this
stuff
against
npm,
I'm
just
adding
an
f
independency.
I'm
not
aware
of
this
one,
I'm
grabbing
this
dependency,
but
the
life
cycle
mapping
will
include
all
those
technologies.
You
will
see
there
in
this
tree.
You
have
a
tree
for
java
maven
and
you
will
have
a
tree
for
the
web
components
for
the
npm
stack.
So,
first
of
all,
you
see
that
there
is
some
other
technology
in
the
background.
B
Client
interface,
that
you
can
completely
provision
all
this
stuff
via
command
line
interface,
if
you
want
or
via
rest.
What
can
you
do
with
this?
If
you're
talking
about
this
scanning
against
vulnerabilities,
you
need
some
process
how
to
handle
this
one
sure
you
can
break
a
build.
B
This
is
one
thing
you
can
notify
via
email,
okay,
but
the
really
cool
thing
is
that
you
have
two
things:
the
rest
api
to
to
interact
with
the
machine
and
the
second
one
is
a
web
hook,
because
with
this
one
you
can
start
integrate
third-party
components
and
you
can
build
semi-dynamic
workflows.
There
is
a
vulnerability
in
this
docker
image.
I
start
now
I
process
it
will
make
a
dedicated
current
time
repository
I'm
pushing
my
stuff
in
I'm
automatically
doing
all
these
updates
in
this
docker
layer,
for
example,
and
then
I'm
scanning
it
again
or
whatever.
B
So
you
can
start
working
with
semi-dynamic
workflows,
and
this
will
give
you
the
possibility
to
feed
reportings
like
compliance
tools.
You
can
pre-harden
images
if
it's
just
an
update
of
the
versions
and
so
on
and
so
on.
So
that's
one
thing
and
yeah.
B
If
you
want
to
try,
it
feel
free
grab
this
one
jeffrey,
the
co,
3t
devops
underscore
cdf,
and
then
it
will
come
to
the
point
where
you
can
start
a
free
tier
and
if
you
want
to
see
how
to
do
it,
some
how
to
so
how
to
start
the
free
tier
and
platform
overview.
If
you
want
to
have
a
short
guideline,
otherwise
check
out
the
documentation
or
just
ask
me,
and
then
you
can
start
this
one.
And
what
should
you
do
you
start
a
free
tier?
B
It
will
take
five
minutes
or
so
you're
just
creating
the
repositories
you
need.
For
example,
your
main
repository
you're
changing
inside
your
pawn
it
in
a
way
that
you're
using
exactly
this
map
repository
and
then
make
a
clean
verify.
That's
it
and
then
you
have
all
informations
all
earlier
with
the
eda
plugin
just
connect
to
your
experiences
and
later
dependency
scan.
B
B
A
B
A
Okay,
just
for
folks
reference,
I
dropped
in
the
chat
the
youtube
playlist,
where
this
will
get
updated
to
so
I'll,
clean
it
up
after
we're
done
and
then
I'll
I'll
post
it
on
this
playlist.
So
if
you
want
to
refer
to
it
or
share
this
with
other
people,
this
is
where
this
will
get
populated,
and
if
we
don't
have
any
questions,
I
will
not
take
any
more
time
from
sun
and
the
attendees
and
and
we
can
wrap
up
so
last.