Global AppSec DC 2019

Modern web applications and systems have grown increasing complex in the 18 years since OWASP was founded. Today's systems are composed from many diverse components, employ a wide variety of frameworks and toolkits, and utilize a vast spectrum of hosting models and external services.  Secure design and operation for such composite systems requires thoughtful application security engineering principles, attention to interactions among composite system elements, and awareness of dependencies across the system lifecycle. This talk will cover a selection of high-level principles, and illustrate them with reference to a Smart City transit system example.

There has been a lot of conversations around diversity and inclusion in the recent past.  This is a step in a positive direction. The benefits of diversity in cybersecurity are clear. As an industry, we can do better, we need to do better. We need not only to keep the conversation going but to really place some action behind it. While homogenous teams feel easier to operate in, it can lead to stagnation, or specialisations in some aspects at the expense of others.

In this talk, I will present some of my thoughts on the importance and benefits of diversity and inclusion in our industry. I will share some of my experiences working over the last few years towards diversity initiatives, some real change observed, challenges associated with it and small steps anyone can do to improve diversity.

The internet wasn’t built with security in mind, the world has a massive talent shortage, and we can’t rely on automation to solve everything.

If you’re on an application security team, I’m willing to bet you have more to do than time and resources to do it. Maybe one of your colleagues left for a new job last month, and there are two additional unfilled positions on your team. You could actually be in a position where you’re trying to do the jobs of 4 people.

Talent matters. You matter.

This talk is about preventing and addressing burnout for overworked application security professionals. It’s also about how to attract, retain, and grow a great team.

DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?

In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us and even though the world has radically changed over the last century, we are still facing many of the same root challenges.

Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.