SDLC for the DevSecOps Era - Adapting Application Security Techniques

Explore effective application security techniques for the DevOps era in this 32-minute conference talk from AppSec EU 2017. Learn how to adapt traditional heavyweight security controls like static analysis and dynamic scanning to lightweight efforts that align with modern development and deployment practices. Discover methods for obtaining visibility that enables, rather than hinders, rapid iteration by development and DevOps teams. Gain insights on measuring the maturity of your organization's security efforts in practical, non-theoretical ways. The talk covers topics such as bottom-up and top-down static analysis, proactive alerting, challenges in dynamic scanning, security policies, and breaking down silos between teams. Understand the shift from legacy approaches to modern feedback visibility and continuous testing, ultimately aiming to create a more effective software development lifecycle for the DevSecOps era.

Intro
interpretive dance
Zanes background
DevOps
Spoiler
What has changed
The real shift
Legacy approaches
Technical diagram
FDL primitives
Common primitives
What do we need to adapt
Static Analysis
Legacy Static Analysis
BottomUp Static Analysis
TopUp Static Analysis
Red Flags
Proactive alerting
Dynamic scanning
Scanning as a method of discovering vulnerabilities
Challenges
Security Policies
Security Visibility
Breaking Down Silos
HTTP 500 Errors
Bringing Data Together
Vintage Meme
Annual Pen Tests
Pen Tests and Bug bounties
Conclusion
Attack Driven
Modern Feedback Visibility
Continuous Testing
Happy Note
Security Reports