Paths
ExpandedDevSecCon24
DevSecCon24 is the first virtual conference in the DevSecCon global conference series – all from the comfort of your home or office. Attendees joined in for 24 hours of inspiring... Read more
What You Will Learn
- Securing Containers
- Securing Code
- Security Testing
- Continuous Security and Compliance Practices
Pre-requisites
None.
DevSecCon24 Talks
A Crash Course in Audit Logs
11m
Description
Application audit logs include a breadcrumb trail of all user activity and the logs are used to answer many different questions in a variety of contexts. Development teams perform analytics on the logs. Security teams write threat detection logic on the logs. Customers will arbitrarily request the logs. Government regulations (GDPR, CCPA, etc.) will mandate that you save them, but then eventually delete them. Your responsibility as a developer or security engineer is to make sure the logs are useful and usable by all of these different stakeholders—and that means robust, high-quality log management tooling. In this talk, we’ll explain the purpose and value of audit logs, present a best-practices logging checklist, and break down an all-purpose log reference format that you can use today!
Table of contents
- A Crash Course in Audit Logs
Americas Keynote: Security Learns to Spring: DevSecOps
41m
Description
This talk will argue that DevOps could be the best thing to happen to application security since OWASP if developers and operations teams are enabled to make security a part of their everyday work. With a ratio of 100/10/1 for development, operations, and security, security now needs to concentrate on creating tools, processes and opportunities for dev and ops that result in more-secure products instead of trying to do it all themselves like they did in days past. We must build security into each of “The Three Ways;” automating and/or improving efficiency of all security activities to ensure we don’t slow down developers, speeding up feedback loops for security related activities so that we fix the bugs faster and sooner, and providing continuous learning opportunities in relation to security for both teams. Security can no longer be a gate or stumbling block, and "adding security in" can no longer be used as a justification for project delays. If developers are sprinting, then we need to sprint too. So put on your running shoes; it’s time for DevSecOps.
Table of contents
- Americas Keynote: Security Learns to Spring: DevSecOps
Americas Panel: Lessons Learned from the DevSecOps Trenches
1h 1m
Description
This panel is made up of practitioners who lead application security teams at the forefront of the DevSecOps shift at companies such as Dropbox, Netflix, Datadog, and Signal Sciences. We will share a number of lessons we had to learn the hard way to adapt our security programs. Specifically, the panel will share: Actionable advice on the approaches that have been successful for our programs, what didn't work, specifics of spectacular failures, and where and how to best invest in automation and techniques for scaling security.
Table of contents
- Americas Panel: Lessons Learned from the DevSecOps Trenches
APAC Keynote: Continuous Auditing: Myth vs. Reality
33m
Table of contents
- APAC Keynote: Continuous Auditing: Myth vs. Reality
AppSec Is Dead. Long Live DevSecOps!
37m
Description
In the ancient times of software creation, we had AppSec and we had developers. Generally, AppSec was aware of security problems, their impact, and code-level fixes. However, these remedies would rarely work in the custom tech stack of the company. Developers cranked out software features in a fast, functional and reliable way but also released their code for security review as late as possible. Why? To shorten the AppSec feedback window, ensuring their out-of-context security recommendations would bounce back well after the release window and not halt proceedings. A little dysfunctional to say the least. Fast-forward to today, and our demand for software is greater than ever before as is the risk of data breaches from common vulnerabilities. This fractured process cannot work, and the DevSecOps movement is here to change the game. DevSecOps creates an environment of shared responsibility for security, where developers become responsible for effective deployment, and the lines between AppSec and development teams are increasingly blurred and more collaborative. The days of a hands-off security approach for developers are over, and with the right training and tools, they can take advantage of this process, upskill their security awareness and stand out among their peers. Security expert Dr. Matias Madou, Ph.D. will demonstrate the changes the industry has faced in the journey from Waterfall to DevSecOps, as well as reveal how you, the developer, can become a powerful piece of the DevSecOps pipeline without compromising the work you love most.
Table of contents
- AppSec Is Dead. Long Live DevSecOps!
Building an Observable Infrastructure and Code
38m
Description
"With microservices, every outage is like a murder mystery" is a common complaint, but it doesn’t have to be. With the evolution of open source tools and tech, you can monitor service level availability, logs, security events and application traces.
Table of contents
- Building an Observable Infrastructure and Code
Collection Is Not Detection and Other Rules for Modernising Sec Ops
41m
Description
Security operations has always been hard. How many logs should you collect? Which logs should you collect? How do you respond and remediate things quickly? Then, just when you thought you've got it right for your on-premises, you decide to move the cloud and have to start all over again... or do you? In this talk, Sarah will discuss how security operations change from on-prem to the cloud and how to optimize your security operations in a hybrid environment to make use of modern tooling such as automation, AI/ML, etc.
Table of contents
- Collection Is Not Detection and Other Rules for Modernising Sec Ops
Container Security: A Five Year Perspective
40m
Description
This talk is about the successes, failures, the ones that got away, and the work we still haven’t done in the fast moving field of container security.
Table of contents
- Container Security: A Five Year Perspective
Dev-first Security: Learning from the Pioneers
38m
Description
Digital transformation, cloud and DevOps, have radically changed how we run our business and build software. Yet, security practices in most companies remain largely unchanged, and so are left behind. This talk shares practices and learnings from companies with forward thinking security teams. You'll also hear practical tips and tricks from these leaders and a broader view on dev-first security.
Table of contents
- Dev-first Security: Learning from the Pioneers
Domain Models: Security as a First-class Concern
36m
Description
Integrating security into the development process is critical for the proper functioning of an application. API gateways, RBAC systems, and service mesh sidecars can all provide some elements of security, but the final arbiter of who can do what and under what circumstances must be the responsibility of the domain model. One critical aspect of application security is being able to test the application's security constraints as part of the normal domain logic, and asserting about it as part of a simple, on-workstation test suite without recourse to external API gateways or other access control mechanisms. In this talk, you'll get a look at how to embed security in domain models, allowing for developers to take greater responsibility for integrating security into the core of our applications. You'll see some patterns for coarse- and fine-grained access control as well as complex business rules about who may do what to which entity, when, and under what circumstances.
Table of contents
- Domain Models: Security as a First-class Concern
EU Panel: The Joys of Integrating Security Testing into Your Pipeline
57m
Table of contents
- EU Panel: The Joys of Integrating Security Testing into Your Pipeline
Exploring the Benefits of Continuous Security and Compliance for Cloud Infrastructure
14m
Description
Learn how Cloud Architects and DevSecOps teams can bring continuous security awareness, visibility and fixes to their cloud infrastructure and services for governance and operational excellence, helping to reduce misconfiguration and security gaps.
Table of contents
- Exploring the Benefits of Continuous Security and Compliance for Cloud Infrastructure
Fireside Chat: Reality Check on Deep Fakes
43m
Description
Join security advocate Alyssa Miller, journalist J.M. Porup, and privacy & patient rights advocate Andrea Downing for this open conversation about deep fakes. They'll talk about the technology behind deep fakes, including research developments, the potential ethical and privacy concerns, and even analyze how much of a threat deep fakes actually are to political, business, and social interactions.
Table of contents
- Fireside Chat: Reality Check on Deep Fakes
From Developer to Security: Looking at Security from a Developer Lens
38m
Description
In this session, Rey Bango shares a perspective on learning, switching careers and hacking.
Table of contents
- From Developer to Security: Looking at Security from a Developer Lens
Going DevOps: Why "Top down or Bottom Up” Might Be the Wrong Question
6m
Description
In this session, Sabine Wojcieszak talks about why "Top down or bottom up?" might be the wrong question to ask.
Table of contents
- Going DevOps: Why "Top down or Bottom Up” Might Be the Wrong Question
Hardening Your Soft Software Supply Chain
34m
Description
Software supply chain threats are real. As more developers and companies rely on open-source code that anyone can contribute to, this opens the door to a new vector of attack. There are increasing supply chain compromises, which successfully sneak in new backdoored packages, use typosquatting, or even compromise build tooling and signing keys. What's actually happening in the wild? How do you determine your dependencies and properly secure yourself? In this session, you'll learn about common kinds of supply chain attacks and when they’re likely to occur. You'll also hear about what you can do to determine your dependencies, track metadata, and be notified of new security patches you should apply, including best practice. This talk will help you gain a better understanding of what you can do for supply chain security for your organization, the projects you depend on, and the projects you maintain.
Table of contents
- Hardening Your Soft Software Supply Chain
How to Attract More Women (And Not the Way You Think)
7m
Description
Join Moran Weber for this 5-minute session on how to attract more women to tech positions in your company.
Table of contents
- How to Attract More Women (And Not the Way You Think)
How to Be a SOAR Winner
16m
Description
Security orchestration, automation, and response (a.k.a. SOAR) is the cool kid on the block in security right now. Implementing SOAR requires a strategic and a tactical approach in order to avoid pitfalls and ensure ongoing success. Considering why, when, and how your organization should embark on a SOAR initiative requires careful planning. Choosing the right tools and technologies, selecting the right processes, and implementing the right measurements are key to the success of many initiatives, but they are absolutely vital in the case of SOAR. The operational benefits of SOAR are many-fold, such as improving efficiency and accuracy, reducing risk, and deriving more value from your current security stack. But it does also beg the question:What does this really mean for our teams? This talk will cover the the fundamentals of SOAR, how SOAR can help your organization and your people, how to approach your SOAR initiative, what you should and shouldn’t automate, and how to measure SOAR success.
Table of contents
- How to Be a SOAR Winner
How to Verify for Security Early and Often
12m
Description
In many organizations, testing for security is done following a “scan-then-fix” approach. The security team runs a scanning tool or conducts a pen test, triages the results, and presents a long list of vulnerabilities to be fixed right away to the development team. This is often referred to as "the hamster wheel of pain." There is a better way. This presentation will explore how to inject security verification in every step of the software development, how to make security assessment an integral part of developers’ software engineering practice and which OWASP projects can be leveraged.
Table of contents
- How to Verify for Security Early and Often
Stuffing Your Cloud into Your SOCs
6m
Description
In this 5-minute session, Brendan O'Connor will talk about stuffing your cloud into SOCs.
Table of contents
- Stuffing Your Cloud into Your SOCs
Doodle with Purpose
5m
Table of contents
- Doodle with Purpose
Community: Not Just One Day a Year
6m
Table of contents
- Community: Not Just One Day a Year
Infrastructure-as-Code Security: Why, What, and How
11m
Description
Planning, provisioning, and changing infrastructure are vital to rapid cloud application development. Incorporating infrastructure-as-code into software development promotes transparency and helps prevent bad configurations upstream. It also presents another layer of risk. In this talk, you'll learn about common IaC risks and best practices for securing infrastructure at scale using policy-as-code in both in build-time and run-time.
Table of contents
- Infrastructure-as-Code Security: Why, What, and How
Modern Dynamic Application Security Testing
13m
Description
Dynamic Application Security Testing has developed a bad rap. Application Security as a whole has struggled to keep up with the shifts in modern software delivery, and that is especially true for dynamic application scanning. However, the ability to run security tests against a running version of the application is one of the best ways to ensure you are finding and fixing the security bugs that attackers may be able to exploit. There is a new way to run security tests against your app that works with new development paradigms - REST API, HTTP and GraphQL backing, authentication requirements, and running in pipeline. Join StackHawk Co-Founder and Chief Security Officer Scott Gerlach to learn more about how application security can truly be developer-first and the latest in dynamic security testing.
Table of contents
- Modern Dynamic Application Security Testing
Pull Request Etiquette
6m
Table of contents
- Pull Request Etiquette
Secure Your Code - Injections and Logging
41m
Description
Security is a hard problem, especially when you are only running, not writing, an application. This talks shows how to protect against injections and also how to monitor them by combining two of the OWASP top 10 security risks: 1. Injections (A1:2017): We are using a simple application exploitable by injection and will then secure it with the Web Application Firewall (WAF) ModSecurity. 2. Insufficient Logging & Monitoring (A10:2017): We are logging and monitoring both the secured and the unsecured application with the Elastic Stack.
Table of contents
- Secure Your Code - Injections and Logging
Securing Containers by Breaking in
29m
Description
There’s no better way to understand container security than seeing some live hacking This session explains and distinguishes the security concern of each layer in the container layers. We’ll look at OS dependencies in your images and, of course, your application dependencies. Our hacks and advice will help you better understand the mistakes you could make, their implications and how you can avoid them.
Table of contents
- Securing Containers by Breaking in
Securing the Pipeline with Open Source Tools
43m
Description
This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team's journey from endpoint security to built-in security and how to avoid common mistakes.
Table of contents
- Securing the Pipeline with Open Source Tools
The Biggest Security Talent Pool You’ve Never Heard Of
40m
Description
At a time where huge shortages in technology talent are projected to reach 3 million globally by 2022, businesses are searching for creative solutions. On the other hand, people with autism face huge employment barriers despite many having highly sought after skills. The UN estimates that 80% of the 125 million people with autism globally are unemployed or underemployed. Xceptional is a platform that enables autistic job seekers to demonstrate rather than articulate their strengths and matches them to employer partners. Xceptional has been working with several tech firms in Sydney over the past two years to bring about cultural diversity change in large IT firms and challenging the status quo to implement a new approach to security and other areas of IT. Mike Tozer will unpack the idea of cognitive diversity and share practical case studies from this unique work which has been recognized through $1 million from Google. The specific strengths that for some autistic people match to security roles will be discussed. The session will include practical tips and deep insights of what life is like with significant sensory processing challenges.
Table of contents
- The Biggest Security Talent Pool You’ve Never Heard Of
The Evolution of the Software Supply Chain Attack
13m
Description
Malicious hackers are becoming increasingly adept at attacking the underbelly of the Software Supply Chain. To cause the most damage while remaining undetected, hackers are rapidly evolving their attack methods. For the past 4 years, the State of the Software Supply Chain Report has documented multiple forms of Open Source Software (OSS) Supply Chain attacks including malicious code injection, stealing project credentials, and typosquatting. However, recent reports (March 9, 2020) have surfaced a new type of Software Supply Chain attack. So far, the Octopus Scanner malware has compromised 26 open source projects hosted on GitHub targeting a well known IDE. Join Ilkka as he shares the proprietary research gathered from 36,000 OSS projects and over 5,000 development teams. Ilkka will walk through how hackers are becoming increasingly successful at breaching Software Supply Chains and what you can do about it.
Table of contents
- The Evolution of the Software Supply Chain Attack
The Five Love Languages of DevOps
5m
Description
Join Matt Stratton for a 5-minute session around the five love languages of DevOps.
Table of contents
- The Five Long Languages of DevOps
The Hacker Hippocampus
17m
Description
Always on the edge of your seat when it comes to new exploits and tricks? From bug bounties, CTFs, live hacking events, simulations, and interactive educational modules, they have been proven to stimulate and enforce new tools and knowledge to become stronger red teamers. But how does your brain process gamification and threats as hackers? This gamified/interactive talk shares how our brains are stimulated by them and how to up your game.
Table of contents
- The Hacker Hippocampus
Things I Learned About Software from Musicals
6m
Description
In this 5-minute session, Victoriya Kalmanovich will share things learned about software from musicals.
Table of contents
- Things I Learned About Software from Musicals
Threat Modeling the Death Star
33m
Description
Traditionally, Threat Models have been a slow and boring process that end up with a giant document detailing any possible security problem. This approach, although useful in the past, is not necessarily good in an ever changing environment. In this session, Mario Areias will introduce attack trees and how they can fit in a DevOps world. This talk will also challenge some of the assumptions about threat models.
Table of contents
- Threat Modeling the Death Star
Unquantified Serendipity: Diversity in Development
8m
Description
Join Quintessence Anx for a 5-minute session focused on diversity in development.
Table of contents
- Unquantified Serendipity: Diversity in Development
When Stress Meets Tech
21m
Description
No matter what profession you are in, our jobs can contain a variety of stress factors, which are unknown to individuals looking from the outside. The lecture offers solutions to support individuals who are afflicted by stress within the IT community.
Table of contents
- When Stress Meets Tech