AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program

Presented at AppSec USA 2016, Oct. 14, 2016, 3:30 p.m. (60 minutes)

Is software development outpacing your ability to secure your company's portfolio of apps? You don't have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn't already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business. This isn't a theoretical talk. It covers the results of successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees. Yes, real stats on improvements seen will be provided.

Beyond providing concrete examples of how to optimize your AppSec program, the talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in. It will also introduce several new OWASP projects which will help you on your journey: the OWASP AppSec Pipeline project, OWASP Defect Dojo and the AppSec Pipeline toolbox. This talk's content plus these open source projects are more than you'll need to get started buying down the technical security debt and unshackle you from traditional AppSec thinking.

Presenters:

• Matt Tesauro - OWASP Foundation
  Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided training at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM. His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at the University of Texas and Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline & WTE projects. WTE is a collection of application security testing tools and the AppSec Pipeline project brings lessons from DevOps and Agile into Application Security. He holds two degrees from Texas A&M University and several security and Linux certifications.

Links:

• https://appsecusa2016.sched.com/event/7t9g/appsec-take-the-best-of-agile-devops-and-cicd-into-your-appsec-program
• https://www.youtube.com/watch?v=loNMg4EPoXw

Similar Presentations:

• AppSec USA 2015 / Doing AppSec at Scale: Taking the best of DevOps, Agile and CI/CD into AppSec.
• BSides Austin 2016 / Taking AppSec to 11: AppSec Pipelines, DevOps and Making Things Better
• AppSec USA 2017 / Building a Secure DevOps Pipeline