Practical Tips for Defending Web Applications in the Age of DevOps

Discover practical tips for defending web applications in the DevOps era in this 36-minute Black Hat conference talk by Zane Lackey. Learn how to adapt traditional security controls like static analysis and dynamic scanning to modern development practices. Gain insights on obtaining visibility to empower development and DevOps teams, and measure your organization's security maturity effectively. Explore the fundamental shifts in security, changes in the software development lifecycle, and strategies for implementing lightweight security efforts. Delve into topics such as command execution analysis, driving security conversations, adapting scanning techniques, enforcing security policies, and achieving continuous feedback and visibility. Understand the strategic benefits of these approaches and how they can enhance your web application security in today's fast-paced development environment.

Intro
Background
Security fundamentally shifts
What has changed
The existential shift
Security has to fundamentally change
What are the pieces of the SDLC
Agenda
Static Analysis
Static Analysis in the Past
Change the Core Static Analysis
Start with Command Execution
Use Static Analysis to Drive Conversations
Dynamic Scanning
Dynamic Scanning for Vulnerability Discovery
How to Adapt Scanning
How to Enforce Security Policies
Security Visibility
Security Visibility in the Past
How Do We Change This
What Does This Mean
Security Operationally Relevant Data
Feedback
Annual Pentest
Bug bounties
Thought leaders
Continuous feedback continuous visibility
Strategic benefits
Positive case