AppSec Gold Mining – revisiting AppSec Cali

Micro Focus Expert
Micro Focus Expert
0 0 994
0 Likes

Micro Focus Fortify is a proud sponsor of AppSec California 2020, run by the OWASP Foundation, happening on January 21-24. If you’re able to make it, let us know your big takeaways in the comments section below.

AppSec Gold Mining.pngThe folks at tl;dr sec went back and watched all 32 hours of 44 talks from last year’s AppSec Cali 2019, and wrote a detailed summary of their key points. It’s a long but worthwhile post. Here are five things that jumped out for me:

  1. The Netflix presentation on “A​ Pragmatic Approach for Internal Security Partnerships” is worth digesting in total for a good example of how to build an AppSec program with security in partnership with development. The summary concludes with a few quick wins: 1) Determine your application risk scoring model, 2) Identify teams/orgs to partner with, and 3) Create an application inventory.
  1. As an application security vendor here at Fortify, it’s easy to get excited about tools. But we repeatedly emphasize the importance of people and process to achieve success. Adam Shostack’s “A Seat at the Table” emphasizes the importance of security in the design phase.
  1. Sticking with the theme of building an AppSec program, Flee’s “Starting Strength for AppSec

- What Mark Rippetoe Can Teach You About Building AppSec Muscles” is another favorite presentation. Besides the start small, get quick wins approach I endorse, there were a couple of nuggets I like. For developer training, it’s much more interesting and engaging to show devs previous vulnerabilities from your company’s code bases than just using generic examples. And then measure and record: track ALL defects found, and make them visible to everyone. Good stuff.

  1. The CISO Panel: Baking Security Into the SDLC has some great insight. I like the perspectives on basic things like what DevSecOps means to them, although some didn’t like the term “DevSecOps.” Instead they suggested to call it DevSecBizOps because we need to add the business side into things, it’s about velocity and quality.
  1. Developer training combined with minimizing friction is a recurring theme for many of the presentations. Example from “(in)Secure Development - Why some product teams are great and others aren’t…: “Riot Games chose to focus on raising Level 1 and 2 teams to Level 3, as that yields the biggest security benefits vs effort required, makes teams’ security processes self-sustaining without constant security team involvement. They did this by shaping development team behavior, rather than purely focusing on automation and technical competencies and capabilities.”

Bonus: If you’re trying to figure out DevSecOps, check out this quick primer “What is DevSecOps.”

 

About Micro Focus Fortify

Fortify offers an end-to-end application security solution that secures and protects code throughout the entire development lifecycle of any type of software—from development to testing, release to production and every iteration in between. Fortify static, dynamic, interactive, and runtime security testing technologies are available on premise or on demand, offering organizations the flexibility needed to build an end-to-end software security assurance program.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.