Major contributing cause of issues stems from releases representing the first time we see how an application behaves in a production-like environment ii. Don’t just document the environment specifications the value stream iii. Everything, everything, everything is checked into version control 1. Application code & dependencies 2. Environment scripts & creation tools 3. DB scripts and reference data 4. Containers 5. Automated tests 6. Project artifacts – documentation, procedures, etc. 7. Application configuration files 8. This also includes pre-production and build processes 9. Tools iv. 2014

lexicon for this guide. Later sections will present more detail on the Agile processes and their application in DoD programs. The foundational structure of an Agile program is: Release - Capability system or commercial off-the-shelf (COTS) product, or building a small-scale or self-constrained application. In other words, Agile works well when the program needs to modify software for government purposes team or the target end user cannot be accessed. Program scope is mostly limited to the application layer while using existing infrastructure. Program Scope Program spans core capabilities and

as we try to become Agile. This frame of reference includes the notions of project, systems, application, investment, architecture, skill set, and accountability. We have, to be honest, made a jumble book is meant to be, really. About the Author Mark Schwartz is an Enterprise Strategist at Amazon Web Services and the author of The Art of Business Value and A Seat at the Table: IT Leadership in the

with the self-organizing character of project teams.”12 Enabler: We have been afraid of “rogue” application development, or shadow IT. There has been good reason for that. Rogue applications are often unreliable requires some sort of management.About the Author Mark Schwartz is an Enterprise Strategist at Amazon Web Services and the author of The Art of Business Value and A Seat at the Table: IT Leadership in the

绕CDN找出⽬标所有真实ip段 找⽬标的各种Web管理后台登录⼝ 批量抓取⽬标所有真实C段 Web banner 批量对⽬标所有真实C段 进⾏基础服务端⼝扫描探测识别 尝试⽬标DNS是否允许区域传送,如果不允许则继续尝试⼦域爆破 批量抓取⽬标所有⼦域 Web banner 批量对⽬标所有⼦域集中进⾏基础服务端⼝探测识别 批量识别⽬标 所有存活Web站点的Web程序指纹 及其详细版本 从 Git ⽬标邮箱 [ 并顺⼿到各个社⼯库中去批量查询这些邮箱曾经是否泄露过密码 ] ⽬标⾃⼰对外提供的各种 技术⽂档 / wiki ⾥泄露的各种账号密码及其它敏感信息 ⽬标微信⼩程序 分析⽬标app Web请求 借助js探针搜集⽬标内⽹信息 想办法混⼊⽬标的各种 内部QQ群 / 微信群 分析⽬标直接供应商 [尤其是技术外包] 根据前⾯已搜集到的各类信息制作有针对性的弱⼝令字典 ⽬标所⽤ Waf BypassWAF RCE BypassWAF 各类Java Web中间件已知Nday漏洞利⽤ BypassWAF Webshell 免杀 其它更多 待补充修 其它更多 , 待补充修正... 0x02 ⼊⼝权限获取 [外部防御重⼼ ( "重中之重") ] 此阶段,主要是针对各主流 "中间件 + 开源程序 + Web服务组件" ⾃身的各种已知Nday漏洞利⽤ 如下已按 "实际攻击利⽤的难易程度"

and are subsequently transmitted to receiving equipment for monitoring 1. Create telemetry in application & environments (to include production, pre-production, and CD pipeline) iii. Ian Malpass, Etsy what’s up or down. ii. Modern Monitoring architecture 1. Data Collection at business logic, application, & environments layer a. Events, logs, & metrics b. Common service to centralize, rotate, and systems need to be more available and scalable than the systems being monitored.” c. CREATE APPLICATION LOGGING TELEMETRY THAT HELPS PRODUCTION i. Dev & Ops create production telemetry as part of their

ormance-best-practices-together-for-a-spa  "We have created the web in our own image, and it is obese"  Modern web hourglass, web tier is now thin, smarts moved to browser Metrics, metrics everywhere than any other metric  Web Performance: 2 seconds is the magic number Whom did I meet?Attributions and References [1] Speaker Slides and Videos: http://velocityconf.com/devops-web-performance-2015/pub

vs BROWNFIELD SERVICES i. DevOps is not just for Greenfield ii. Important Predictor – Is the application architected (or could be re- architected) for testability and deployability? iii. Successful Brownfield mainframe and supporting applications a. They 2X release frequency b. Resulted in increased application reliability c. Reduced deployment lead time from 2 weeks to <1 day 2. Etsy a. “Barely survived the business; defines functionality ii. Development - the team responsible for developing the application iii. QA – team responsible for ensuring feedback loop exists to ensure functions as desired

providing application/infrastructure stacks that are pre- approved and appropriately configured and secured. f. INTEGRATE SECURITY INTO OUR DEPLOYMENT PIPELINE i. Hardening the application after development pipeline iii. Enable fast feedback on potentially insecure changes g. ENSURE SECURITY OF THE APPLICATION i. Focus on the sad paths or bad paths to effectively address QA, Infosec and related concerns

through Agile 2 Nick Tuck Maximizing Retrospectives 2 Ray Page Open Agile Topics 0 Jason Beranek Application Transparency 0 Ed Snodgrass Awesomeness through Stable Teams 0 Mike Ballou Open Discussion on in the Industry 1 Mike Ballou Agile Principles 0 Ray Page Open Agile Topics 0 Jason Beranek Application Transparency 0 Ed Snodgrass Awesomeness through Stable Teams 0 Mike Ballou Contracting Agile