Taking AppSec to 11: AppSec Pipelines, DevOps and Making Things Better

Presented at BSides Austin 2016, April 1, 2016, 10:30 a.m. (60 minutes)

How many applications are in your company's portfolio? What's the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in. The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept which feels inevitable with more traditional AppSec program thinking.

Presenters:

• Matt Tesauro
  Matt Tesauro is a founder of Infinitiv, the Senior Software Security Engineer at Pearson and was previously the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM. His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at the University of Texas and Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline & WTE projects. WTE is a collection of application security testing tools. He holds two degrees from A&M University and several security and Linux certifications.

Links:

• https://bsidesaustin2016.sched.com/event/6Dsw/taking-appsec-to-11-appsec-pipelines-devops-and-making-things-better

Similar Presentations:

• LocoMocoSec 2018 / AppSec Automation: Pipelines, APIs and Getting Things Done Faster Training
• AppSec USA 2015 / Doing AppSec at Scale: Taking the best of DevOps, Agile and CI/CD into AppSec.
• AppSec USA 2016 / AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program