Practical Tips for Web Application Security in the Age of Agile and DevOps

Explore practical tips for web application security in the age of agile and DevOps in this 53-minute conference talk recorded at AppSecUSA 2016. Learn how to adapt traditional heavyweight security controls to lightweight efforts suitable for modern development practices. Discover techniques for obtaining visibility that enables rapid iteration, and gain insights on measuring security maturity in a non-theoretical way. Delve into topics such as static analysis, dynamic scanning, proactive alerting, and attack-driven defense. Benefit from real-world examples and experiences shared by Zane Lackey, Founder/Chief Security Officer at Signal Sciences and former Director of Security Engineering at Etsy.

Intro
Zanes background
What is this talk about
Clich alert
Changes in DevOps
Security is no longer outsourced
Waterfall security methodology
Core components
What pieces of this needs to change
Agenda
Static analysis
Traditional static analysis
How to adapt
Command execution
hashing encryption
proactive alerting
scanning
Dynamics gaming
Cheap use cases
Legacy visibility
Building effective visibility
Feedback legacy
Bounties
The hallmark of modern app tech
Attack driven defense
Work your way back
Data forensics
Etsy example
Closing thesis
Questions