Practical tips for web application security in the age of agile and DevOps

Presented at AppSec USA 2016, Oct. 14, 2016, 10:45 a.m. (60 minutes).

The SDLC has been the standard model for web application security over the last decade and beyond, focussing heavily on gatekeeping controls like static analysis and dynamic scanning. However, the SDLC was originally designed in a world of Waterfall development and its heavy weight controls often cause more problems than they solve in todays world of agile, DevOps, and CI/CD.  This talk will share practical lessons learned on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to:  1) Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices 2) Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly  3) Measure maturity of your organizations security efforts in a non-theoretical way

Presenters:

  • Zane Lackey - Founder/Chief Security Officer - Signal Sciences
    Zane Lackey is the Founder/Chief Security Officer at Signal Sciences and serves on the Advisory Boards of the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund. Prior to Signal Sciences, Zane was the Director of Security Engineering at Etsy and a Senior Security Consultant at iSEC Partners.He has been featured in notable media outlets such as the BBC, Associated Press, Forbes, Wired, CNET, Network World, and SC Magazine. A frequent speaker at top industry conferences, he has presented at BlackHat, RSA, USENIX, Velocity, Microsoft BlueHat, SANS, OWASP, QCon, and has given invited lectures at Facebook, Goldman Sachs, IBM, and the Federal Trade Commission.

Links:

Similar Presentations: