DevSecCon24

Paths

DevSecCon24

Author: DevSecCon

DevSecCon24 is the first virtual conference in the DevSecCon global conference series – all from the comfort of your home or office. Attendees joined in for 24 hours of inspiring... Read more

What You Will Learn

  • Securing Containers
  • Securing Code
  • Security Testing
  • Continuous Security and Compliance Practices

Pre-requisites

None.

DevSecCon24 Talks

A Crash Course in Audit Logs

by DevSecCon

Sep 24, 2020 / 11m

11m

Start Course
Description

Application audit logs include a breadcrumb trail of all user activity and the logs are used to answer many different questions in a variety of contexts. Development teams perform analytics on the logs. Security teams write threat detection logic on the logs. Customers will arbitrarily request the logs. Government regulations (GDPR, CCPA, etc.) will mandate that you save them, but then eventually delete them. Your responsibility as a developer or security engineer is to make sure the logs are useful and usable by all of these different stakeholders—and that means robust, high-quality log management tooling. In this talk, we’ll explain the purpose and value of audit logs, present a best-practices logging checklist, and break down an all-purpose log reference format that you can use today!

Table of contents
  1. A Crash Course in Audit Logs

Americas Keynote: Security Learns to Spring: DevSecOps

by DevSecCon

Sep 25, 2020 / 41m

41m

Start Course
Description

This talk will argue that DevOps could be the best thing to happen to application security since OWASP if developers and operations teams are enabled to make security a part of their everyday work. With a ratio of 100/10/1 for development, operations, and security, security now needs to concentrate on creating tools, processes and opportunities for dev and ops that result in more-secure products instead of trying to do it all themselves like they did in days past. We must build security into each of “The Three Ways;” automating and/or improving efficiency of all security activities to ensure we don’t slow down developers, speeding up feedback loops for security related activities so that we fix the bugs faster and sooner, and providing continuous learning opportunities in relation to security for both teams. Security can no longer be a gate or stumbling block, and "adding security in" can no longer be used as a justification for project delays. If developers are sprinting, then we need to sprint too. So put on your running shoes; it’s time for DevSecOps.

Table of contents
  1. Americas Keynote: Security Learns to Spring: DevSecOps

Americas Panel: Lessons Learned from the DevSecOps Trenches

by DevSecCon

Sep 25, 2020 / 1h 1m

1h 1m

Start Course
Description

This panel is made up of practitioners who lead application security teams at the forefront of the DevSecOps shift at companies such as Dropbox, Netflix, Datadog, and Signal Sciences. We will share a number of lessons we had to learn the hard way to adapt our security programs. Specifically, the panel will share: Actionable advice on the approaches that have been successful for our programs, what didn't work, specifics of spectacular failures, and where and how to best invest in automation and techniques for scaling security.

Table of contents
  1. Americas Panel: Lessons Learned from the DevSecOps Trenches

APAC Keynote: Continuous Auditing: Myth vs. Reality

by DevSecCon

Sep 25, 2020 / 33m

33m

Start Course
Description

This keynote will focus on the myths and reality of continuous auditing.

Table of contents
  1. APAC Keynote: Continuous Auditing: Myth vs. Reality

AppSec Is Dead. Long Live DevSecOps!

by DevSecCon

Sep 24, 2020 / 37m

37m

Start Course
Description

In the ancient times of software creation, we had AppSec and we had developers. Generally, AppSec was aware of security problems, their impact, and code-level fixes. However, these remedies would rarely work in the custom tech stack of the company. Developers cranked out software features in a fast, functional and reliable way but also released their code for security review as late as possible. Why? To shorten the AppSec feedback window, ensuring their out-of-context security recommendations would bounce back well after the release window and not halt proceedings. A little dysfunctional to say the least. Fast-forward to today, and our demand for software is greater than ever before as is the risk of data breaches from common vulnerabilities. This fractured process cannot work, and the DevSecOps movement is here to change the game. DevSecOps creates an environment of shared responsibility for security, where developers become responsible for effective deployment, and the lines between AppSec and development teams are increasingly blurred and more collaborative. The days of a hands-off security approach for developers are over, and with the right training and tools, they can take advantage of this process, upskill their security awareness and stand out among their peers. Security expert Dr. Matias Madou, Ph.D. will demonstrate the changes the industry has faced in the journey from Waterfall to DevSecOps, as well as reveal how you, the developer, can become a powerful piece of the DevSecOps pipeline without compromising the work you love most.

Table of contents
  1. AppSec Is Dead. Long Live DevSecOps!

Building an Observable Infrastructure and Code

by DevSecCon

Sep 24, 2020 / 38m

38m

Start Course
Description

"With microservices, every outage is like a murder mystery" is a common complaint, but it doesn’t have to be. With the evolution of open source tools and tech, you can monitor service level availability, logs, security events and application traces.

Table of contents
  1. Building an Observable Infrastructure and Code

Collection Is Not Detection and Other Rules for Modernising Sec Ops

by DevSecCon

Sep 24, 2020 / 41m

41m

Start Course
Description

Security operations has always been hard. How many logs should you collect? Which logs should you collect? How do you respond and remediate things quickly? Then, just when you thought you've got it right for your on-premises, you decide to move the cloud and have to start all over again... or do you? In this talk, Sarah will discuss how security operations change from on-prem to the cloud and how to optimize your security operations in a hybrid environment to make use of modern tooling such as automation, AI/ML, etc.

Table of contents
  1. Collection Is Not Detection and Other Rules for Modernising Sec Ops

Container Security: A Five Year Perspective

by DevSecCon

Sep 24, 2020 / 40m

40m

Start Course
Description

This talk is about the successes, failures, the ones that got away, and the work we still haven’t done in the fast moving field of container security.

Table of contents
  1. Container Security: A Five Year Perspective

Dev-first Security: Learning from the Pioneers

by DevSecCon

Sep 24, 2020 / 38m

38m

Start Course
Description

Digital transformation, cloud and DevOps, have radically changed how we run our business and build software. Yet, security practices in most companies remain largely unchanged, and so are left behind. This talk shares practices and learnings from companies with forward thinking security teams. You'll also hear practical tips and tricks from these leaders and a broader view on dev-first security.

Table of contents
  1. Dev-first Security: Learning from the Pioneers

Domain Models: Security as a First-class Concern

by DevSecCon

Sep 24, 2020 / 36m

36m

Start Course
Description

Integrating security into the development process is critical for the proper functioning of an application. API gateways, RBAC systems, and service mesh sidecars can all provide some elements of security, but the final arbiter of who can do what and under what circumstances must be the responsibility of the domain model. One critical aspect of application security is being able to test the application's security constraints as part of the normal domain logic, and asserting about it as part of a simple, on-workstation test suite without recourse to external API gateways or other access control mechanisms. In this talk, you'll get a look at how to embed security in domain models, allowing for developers to take greater responsibility for integrating security into the core of our applications. You'll see some patterns for coarse- and fine-grained access control as well as complex business rules about who may do what to which entity, when, and under what circumstances.

Table of contents
  1. Domain Models: Security as a First-class Concern

EU Panel: The Joys of Integrating Security Testing into Your Pipeline

by DevSecCon

Sep 28, 2020 / 57m

57m

Start Course
Description

Watch this panel on integrating security testing into your pipeline.

Table of contents
  1. EU Panel: The Joys of Integrating Security Testing into Your Pipeline

Exploring the Benefits of Continuous Security and Compliance for Cloud Infrastructure

by DevSecCon

Sep 24, 2020 / 14m

14m

Start Course
Description

Learn how Cloud Architects and DevSecOps teams can bring continuous security awareness, visibility and fixes to their cloud infrastructure and services for governance and operational excellence, helping to reduce misconfiguration and security gaps.

Table of contents
  1. Exploring the Benefits of Continuous Security and Compliance for Cloud Infrastructure

Fireside Chat: Reality Check on Deep Fakes

by DevSecCon

Sep 25, 2020 / 43m

43m

Start Course
Description

Join security advocate Alyssa Miller, journalist J.M. Porup, and privacy & patient rights advocate Andrea Downing for this open conversation about deep fakes. They'll talk about the technology behind deep fakes, including research developments, the potential ethical and privacy concerns, and even analyze how much of a threat deep fakes actually are to political, business, and social interactions.

Table of contents
  1. Fireside Chat: Reality Check on Deep Fakes

From Developer to Security: Looking at Security from a Developer Lens

by DevSecCon

Sep 25, 2020 / 38m

38m

Start Course
Description

In this session, Rey Bango shares a perspective on learning, switching careers and hacking.

Table of contents
  1. From Developer to Security: Looking at Security from a Developer Lens

Going DevOps: Why "Top down or Bottom Up” Might Be the Wrong Question

by DevSecCon

Sep 25, 2020 / 6m

6m

Start Course
Description

In this session, Sabine Wojcieszak talks about why "Top down or bottom up?" might be the wrong question to ask.

Table of contents
  1. Going DevOps: Why "Top down or Bottom Up” Might Be the Wrong Question

Hardening Your Soft Software Supply Chain

by DevSecCon

Sep 24, 2020 / 34m

34m

Start Course
Description

Software supply chain threats are real. As more developers and companies rely on open-source code that anyone can contribute to, this opens the door to a new vector of attack. There are increasing supply chain compromises, which successfully sneak in new backdoored packages, use typosquatting, or even compromise build tooling and signing keys. What's actually happening in the wild? How do you determine your dependencies and properly secure yourself? In this session, you'll learn about common kinds of supply chain attacks and when they’re likely to occur. You'll also hear about what you can do to determine your dependencies, track metadata, and be notified of new security patches you should apply, including best practice. This talk will help you gain a better understanding of what you can do for supply chain security for your organization, the projects you depend on, and the projects you maintain.

Table of contents
  1. Hardening Your Soft Software Supply Chain

How to Attract More Women (And Not the Way You Think)

by DevSecCon

Sep 25, 2020 / 7m

7m

Start Course
Description

Join Moran Weber for this 5-minute session on how to attract more women to tech positions in your company.

Table of contents
  1. How to Attract More Women (And Not the Way You Think)

How to Be a SOAR Winner

by DevSecCon

Sep 24, 2020 / 16m

16m

Start Course
Description

Security orchestration, automation, and response (a.k.a. SOAR) is the cool kid on the block in security right now. Implementing SOAR requires a strategic and a tactical approach in order to avoid pitfalls and ensure ongoing success. Considering why, when, and how your organization should embark on a SOAR initiative requires careful planning. Choosing the right tools and technologies, selecting the right processes, and implementing the right measurements are key to the success of many initiatives, but they are absolutely vital in the case of SOAR. The operational benefits of SOAR are many-fold, such as improving efficiency and accuracy, reducing risk, and deriving more value from your current security stack. But it does also beg the question:What does this really mean for our teams? This talk will cover the the fundamentals of SOAR, how SOAR can help your organization and your people, how to approach your SOAR initiative, what you should and shouldn’t automate, and how to measure SOAR success.

Table of contents
  1. How to Be a SOAR Winner

How to Verify for Security Early and Often

by DevSecCon

Sep 24, 2020 / 12m

12m

Start Course
Description

In many organizations, testing for security is done following a “scan­-then-­fix” approach. The security team runs a scanning tool or conducts a pen test, triages the results, and presents a long list of vulnerabilities to be fixed right away to the development team. This is often referred to as "the hamster wheel of pain." There is a better way. This presentation will explore how to inject security verification in every step of the software development, how to make security assessment an integral part of developers’ software engineering practice and which OWASP projects can be leveraged.

Table of contents
  1. How to Verify for Security Early and Often

Stuffing Your Cloud into Your SOCs

by DevSecCon

Sep 25, 2020 / 6m

6m

Start Course
Description

In this 5-minute session, Brendan O'Connor will talk about stuffing your cloud into SOCs.

Table of contents
  1. Stuffing Your Cloud into Your SOCs

Doodle with Purpose

by DevSecCon

Sep 25, 2020 / 5m

5m

Start Course
Description

Join Ashton Rodenhiser to learn about doodling with purpose.

Table of contents
  1. Doodle with Purpose

Community: Not Just One Day a Year

by DevSecCon

Sep 25, 2020 / 6m

6m

Start Course
Description

Join Sam Hepburn for a 5-minute session that focuses on community.

Table of contents
  1. Community: Not Just One Day a Year

Infrastructure-as-Code Security: Why, What, and How

by DevSecCon

Sep 24, 2020 / 11m

11m

Start Course
Description

Planning, provisioning, and changing infrastructure are vital to rapid cloud application development. Incorporating infrastructure-as-code into software development promotes transparency and helps prevent bad configurations upstream. It also presents another layer of risk. In this talk, you'll learn about common IaC risks and best practices for securing infrastructure at scale using policy-as-code in both in build-time and run-time.

Table of contents
  1. Infrastructure-as-Code Security: Why, What, and How

Modern Dynamic Application Security Testing

by DevSecCon

Sep 24, 2020 / 13m

13m

Start Course
Description

Dynamic Application Security Testing has developed a bad rap. Application Security as a whole has struggled to keep up with the shifts in modern software delivery, and that is especially true for dynamic application scanning. However, the ability to run security tests against a running version of the application is one of the best ways to ensure you are finding and fixing the security bugs that attackers may be able to exploit. There is a new way to run security tests against your app that works with new development paradigms - REST API, HTTP and GraphQL backing, authentication requirements, and running in pipeline. Join StackHawk Co-Founder and Chief Security Officer Scott Gerlach to learn more about how application security can truly be developer-first and the latest in dynamic security testing.

Table of contents
  1. Modern Dynamic Application Security Testing

Pull Request Etiquette

by DevSecCon

Sep 25, 2020 / 6m

6m

Start Course
Description

Join Erik Zaadi for this 5-minute session on pull request etiquette.

Table of contents
  1. Pull Request Etiquette

Secure Your Code - Injections and Logging

by DevSecCon

Sep 24, 2020 / 41m

41m

Start Course
Description

Security is a hard problem, especially when you are only running, not writing, an application. This talks shows how to protect against injections and also how to monitor them by combining two of the OWASP top 10 security risks: 1. Injections (A1:2017): We are using a simple application exploitable by injection and will then secure it with the Web Application Firewall (WAF) ModSecurity. 2. Insufficient Logging & Monitoring (A10:2017): We are logging and monitoring both the secured and the unsecured application with the Elastic Stack.

Table of contents
  1. Secure Your Code - Injections and Logging

Securing Containers by Breaking in

by DevSecCon

Sep 24, 2020 / 29m

29m

Start Course
Description

There’s no better way to understand container security than seeing some live hacking This session explains and distinguishes the security concern of each layer in the container layers. We’ll look at OS dependencies in your images and, of course, your application dependencies. Our hacks and advice will help you better understand the mistakes you could make, their implications and how you can avoid them.

Table of contents
  1. Securing Containers by Breaking in

Securing the Pipeline with Open Source Tools

by DevSecCon

Sep 24, 2020 / 43m

43m

Start Course
Description

This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team's journey from endpoint security to built-in security and how to avoid common mistakes.

Table of contents
  1. Securing the Pipeline with Open Source Tools

The Biggest Security Talent Pool You’ve Never Heard Of

by DevSecCon

Sep 25, 2020 / 40m

40m

Start Course
Description

At a time where huge shortages in technology talent are projected to reach 3 million globally by 2022, businesses are searching for creative solutions. On the other hand, people with autism face huge employment barriers despite many having highly sought after skills. The UN estimates that 80% of the 125 million people with autism globally are unemployed or underemployed. Xceptional is a platform that enables autistic job seekers to demonstrate rather than articulate their strengths and matches them to employer partners. Xceptional has been working with several tech firms in Sydney over the past two years to bring about cultural diversity change in large IT firms and challenging the status quo to implement a new approach to security and other areas of IT. Mike Tozer will unpack the idea of cognitive diversity and share practical case studies from this unique work which has been recognized through $1 million from Google. The specific strengths that for some autistic people match to security roles will be discussed. The session will include practical tips and deep insights of what life is like with significant sensory processing challenges.

Table of contents
  1. The Biggest Security Talent Pool You’ve Never Heard Of

The Evolution of the Software Supply Chain Attack

by DevSecCon

Sep 25, 2020 / 13m

13m

Start Course
Description

Malicious hackers are becoming increasingly adept at attacking the underbelly of the Software Supply Chain. To cause the most damage while remaining undetected, hackers are rapidly evolving their attack methods. For the past 4 years, the State of the Software Supply Chain Report has documented multiple forms of Open Source Software (OSS) Supply Chain attacks including malicious code injection, stealing project credentials, and typosquatting. However, recent reports (March 9, 2020) have surfaced a new type of Software Supply Chain attack. So far, the Octopus Scanner malware has compromised 26 open source projects hosted on GitHub targeting a well known IDE. Join Ilkka as he shares the proprietary research gathered from 36,000 OSS projects and over 5,000 development teams. Ilkka will walk through how hackers are becoming increasingly successful at breaching Software Supply Chains and what you can do about it.

Table of contents
  1. The Evolution of the Software Supply Chain Attack

The Five Love Languages of DevOps

by DevSecCon

Sep 25, 2020 / 5m

5m

Start Course
Description

Join Matt Stratton for a 5-minute session around the five love languages of DevOps.

Table of contents
  1. The Five Long Languages of DevOps

The Hacker Hippocampus

by DevSecCon

Sep 25, 2020 / 17m

17m

Start Course
Description

Always on the edge of your seat when it comes to new exploits and tricks? From bug bounties, CTFs, live hacking events, simulations, and interactive educational modules, they have been proven to stimulate and enforce new tools and knowledge to become stronger red teamers. But how does your brain process gamification and threats as hackers? This gamified/interactive talk shares how our brains are stimulated by them and how to up your game.

Table of contents
  1. The Hacker Hippocampus

Things I Learned About Software from Musicals

by DevSecCon

Sep 25, 2020 / 6m

6m

Start Course
Description

In this 5-minute session, Victoriya Kalmanovich will share things learned about software from musicals.

Table of contents
  1. Things I Learned About Software from Musicals

Threat Modeling the Death Star

by DevSecCon

Sep 25, 2020 / 33m

33m

Start Course
Description

Traditionally, Threat Models have been a slow and boring process that end up with a giant document detailing any possible security problem. This approach, although useful in the past, is not necessarily good in an ever changing environment. In this session, Mario Areias will introduce attack trees and how they can fit in a DevOps world. This talk will also challenge some of the assumptions about threat models.

Table of contents
  1. Threat Modeling the Death Star

Unquantified Serendipity: Diversity in Development

by DevSecCon

Sep 25, 2020 / 8m

8m

Start Course
Description

Join Quintessence Anx for a 5-minute session focused on diversity in development.

Table of contents
  1. Unquantified Serendipity: Diversity in Development

When Stress Meets Tech

by DevSecCon

Sep 24, 2020 / 21m

21m

Start Course
Description

No matter what profession you are in, our jobs can contain a variety of stress factors, which are unknown to individuals looking from the outside. The lecture offers solutions to support individuals who are afflicted by stress within the IT community.

Table of contents
  1. When Stress Meets Tech