] ⽬标Svn⾥泄露的各类 敏感⽂件 ⽹站⽬录扫描 [ 查找⽬标⽹站泄露的各类敏感⽂件, ⽹站备份⽂件, 敏感配置⽂件, 源码 , 别⼈的webshell, 等等等...] ⽬标站点⾃身在前端代码中泄露的各种敏感信息 fofa / shodan / bing / google hacking 深度利⽤ 搜集⽬标 学⽣学号 / 员⼯⼯号 / ⽬标邮箱 [ 并顺⼿到各个社⼯库中去批量查询这些邮箱曾经是否泄露过密码 CVE-2016-10033 泛微 OA 远程代码执⾏ ⾦蝶 OA SQL 注⼊ Coremail 敏感⽂件泄露 UEditor 任意⽂件上传 OpenSSL ⼼脏滴⾎抓明⽂账号密码 [Heartbleed] 破壳漏洞 [Shellshock] 各种能快速 getshell 的常规基础 Web 漏洞利⽤ [注: 有些漏洞在不审代码的情况下其实 是很难有效盲测到的] 后台弱⼝令 SSRF sql注⼊ 越权 命令 / 代码执⾏ / 反序列化 任意⽂件上传 / 下载 / 读取 包含 XSS（实际上,XSS只有在针对某些特定邮箱,⼿⾥有浏览器0day时价值才会⽐较⼤,红队场景下其实并不是⾮常致命) 业务逻辑漏洞 针对各类边界⽹络设备的各种利⽤, 主要是 Web 管理控制台登录弱⼝令 及 各类已知 nda y 攻击利⽤ Pulse Secure VPN

Myth—DevOps is Only for Startups: b. Myth—DevOps Replaces Agile c. Myth—DevOps is incompatible with ITIL d. Myth—DevOps is Incompatible with Information Security and Compliance: e. Myth—DevOps Means Eliminating follows this progression: a. Environment creation: b. Code deployment: c. Test setup and run: d. Overly tight architecture: iv. ELIMINATE HARDSHIPS AND WASTE IN THE VALUE STREAM 1. In the book Implementing work: b. Extra processes: c. Extra features: d. Task switching: e. Waiting: f. Motion: g. Defects: h. Nonstandard or manual work:i. Heroics: d. The Second Way: The Principles of Feedback 27

I took that action?” 5. Brainstorm on real, implementable countermeasures – not Be more Careful d. PUBLISH OUR POST-MORTEMS AS WIDELY AS POSSIBLE i. After the meeting, widely publish the minutes, artifacts every day every exercise and new piece of information is evaluated and debated; more similar to R&D lab. f. REDEFINE FAILURE AND ENCOURAGE CALCULATED RISK-TAKING i. Leaders reinforce the culture through Single repository with over 1B files and over 2B SLOC, over 25K engineers for every Google property d. SPREAD KNOWLEDGE BY USING AUTOMATED TESTS AS DOCUMENTATION AND COMMUNITIES OF PRACTICE i. Ensure

version control by Ops was the highest predictor of both IT performance & organizational performance d. MAKE INFRASTRUCTURE EASIER TO REBUILD THAN TO REPAIR i. Quickly building enables quickly re-creating – lose the ability to learn from mistakes and diminish integrating that learning into future work d. Google Web Server (GWS) team was struggling with changes – Hard line: no changes would be accepted potential rework and merge problems 1. Cross-cutting dependency improvements often provide high-payoffs d. ADOPT TRUNK-BASED DEVELOPMENT PRACTICES i. CI and Trunk-based development (TBD) are countermeasures

.................................................................................... 61 Appendix D: DoD 5000 Information Requirements ................................................................ team’s ability to focus on capability delivery. Figure 11 Capstone Documentation Example Appendix D lists required DoDI 5000.02 and BCL acquisition documents, and contains a table that identifies the currently available. User feedback, in turn, guides developers and acquirers in shaping the program and R&D investments.  Allow the full community to contribute to the program’s future by holding discussions

Startups & shutdowns 9. Faults & errors 10. Circuit breaker trips 11. Delays 12. Backup success/failure d. USE TELEMETRY TO GUIDE PROBLEM-SOLVING i. Don’t practice “Mean Time until Declared Innocent” – culture probably a better way to do this.” Unfortunately, there wasn’t a better way to do that operation.” d. HAVE DEVELOPERS INITIALLY SELF-MANAGE THEIR PRODUCTION SERVICE i. Google has development groups self-manage add features to the baseline that also increase maintenance costs and identify opportunity costs. d. INTEGRATE A/B TESTING INTO OUR RELEASE i. A/B testing requires fast CD to support ii. Use feature

bad behavior?” I truly doubt that any of the Beltway bandits sees themselves as bad people, and I’d bet that most are truly well-meaning. It’s the system that has failed them, and us. But how do we change and accountability? You know the answer: Scrum. Let’s start a few thousand miles west of Washington, D.C., in the Washington state capital, Olympia. There, the past two administrations—first a Republican goals. This is what people should expect from their government. The very fact that they sound clichéd is an indicator of their importance. A cliché, after all, is just a truth repeated enough times to

• No conversations • No meetings • No eating • No preening How does it work? 1. Choose a task you’d like to get done 2. Set the Pomodoro for 25 minutes 3. Work on the task until the Pomodoro rings Personal Productivity Using The Pomodoro Technique, Daniel Hinojosa, https://docs.google.com/presentation/d/1ufjcILARuowbv3Y9r-FP9-x3kmlIzq7bvOJBxRVh3-w/ present#slide=id.i0 [3] Flow: The Psychology of Optimal

public/schedule/proceedings [2] YouTube Playlist: https://www.youtube.com/playlist?list=PL055Epbe6d5Y86GSg3nhUH3o_v62FGpCI

Image from https://github.com/jondavid-black/DevOpsForDefense/raw/master/Meetup/2019/2019-10%20DO4D%20- %20DevSecOps%20Reference%20Design.pdfContainerized Software Factory Reference DesignSoftware Factory