AppSec at DevOps Speed and Portfolio Scale

Presented at AppSec USA 2013, Nov. 21, 2013, 9 a.m. (50 minutes)

Video of session: https://www.youtube.com/watch?v=cIvOth0fxmI&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=23 Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops. Unfortunately, software assurance hasn't kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002. Here are some of the technologies and practices that today's best software assurance techniques *can't*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development. Although we're making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It's not just security tools - application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all. Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect realtime data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowingall the stakeholders in security to collaborate and finally become proactive.

Presenters:

• Jeff Williams - Co-founder and CTO - Contrast Security
  I've been in security since the late 1980's and have been blessed with the opportunity to help start three great organizations: Aspect Security (recently sold to EY), OWASP, and Contrast Security. I'm coming to AppSec EU to meet *you*. I'm easy to find :-) and love to talk about basketball, boomerang design, DevSecOps, security instrumentation, replacing SAST/DAST/WAF with IAST/RASP/SCA, cost-effective appsec programs, OWASP history, and Dad-life (four kids, two in college). I am convinced that appsec as we know it must change and that DevSecOps is the path forward. I'd love your help!

Links:

• https://appsecusa2013.sched.com/event/13jbIny/appsec-at-devops-speed-and-portfolio-scale
• https://infocon.org/cons/OWASP/AppSecUSA 2013/AppSec at DevOps Speed and Portfolio Scale - Jeff Williams.mp4
• https://www.youtube.com/watch?v=cIvOth0fxmI

Similar Presentations:

• AppSec USA 2014 / Stop Chasing Vulnerabilities - Introducing *Continuous* Application Security
• AppSec USA 2013 / An Introduction to the Newest Addition to the OWASP Top 10. Experts Break-Down the New Guideline and Offer Provide Guidance on Good Component Practice
• AppSec USA 2014 / Keynote: Gary McGraw - Bug Parades, Zombies, and the BSIMM: A Decade of Software Security