Running FaaS with Scissors

Presented at Global AppSec - DC 2019, Sept. 12, 2019, 4:30 p.m. (45 minutes)

Taking a DevSecOps mindset has created many opportunities to nudge organizations into improving how we create secure code. The security and DevOps landscape has continued to evolve with many exciting improvements in the past year. In this talk, we’ll cover the new methods available utilizing serverless and Function as as Service (FaaS) technologies. We’ll discuss how you can pave a speedy road for app teams to develop while constructing guard rails using OpenFaaS. Utilizing containerized security tools allows for dramatically quicker and more consistent assessments of both running and static code. By using the techniques discussed, you can change security testing from an occasional point in time exercise to continuously testing with fast feedback loops. Having created these at past employers, we bring real-world experience of creating fast and agile testing automation to AppSec teams.

Presenters:

• Matt Tesauro
  Matt Tesauro is currently establishing a SDLC at a large healthcare software provider. Prior to his current role, he was a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security. Previously, he was a founder and CTO of 10Security, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM. His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at the University of Texas and Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline & WTE projects. WTE is a collection of application security testing tools and the AppSec Pipeline project brings lessons from DevOps and Agile into Application Security. He holds two degrees from Texas A&M University and several security and Linux certifications.

Links:

• https://globalappsecdc2019.sched.com/event/Ur5t/running-faas-with-scissors

Similar Presentations:

• LocoMocoSec 2019 / Security learns to sprint: DevSecOps
• AppSec USA 2015 / Security as Code: A New Frontier
• Texas Cyber Summit 2019 / SS-2048 FaaS track to serverless security