Four Years of Reflection: How (Not) To Secure Web Applications

We are partnering with DevSecOps and Sectalks Melbourne to run a mega meetup this June! Food will be provided. Please RSVP if you can make it. Special thanks to NAB for providing the venue and Snyk for the pizza!

Agenda

• Pizza - 6:00pm - 6:20pm
• Interview - 6:20pm - 6:40pm
• Talk - 6:40pm - 7:30pm
• Networking - 7:30pm till 8:30pm

Talk
Preventing a company from becoming the newest data breach statistic can be a daunting prospect. Especially working within a company that employs hundreds of engineers pushing code to production daily, it often feels like everything is on fire and the holy grail of producing a security inspired product is but a dim light growing further and further away. The same feeling is true for security aware engineers being pushed to develop products quickly but also expected to consider quality assurance, operations, security and the reliability of their application or service.

To help reduce the bleeding and build more security aware applications at scale, a balance of firefighting, preventative initiatives, automation and «JIT» education is required. So strap yourself in while we take you on a journey through 4 years of security successes and epic failures:

• «JIT» Education — Changing a companies security culture with RFC’s for security standards, security integrated PIR via bug bounty program reports, visibility through security maturity frameworks (BSIMM).
• Automation — Implementing a secure-by-default build system (Buildkite) that makes detecting vulnerable dependencies (Snyk), storing secrets (AWS Secrets Manager) and scanning Docker containers, an effortless process.
• Prevention — Eradicate several classes of bugs by selecting secure architectural patterns and using automated scripts to detect operational misconfigurations like dangling DNS entries, open S3 buckets, secrets checked into source code and repositories that have been made accidentally public.

Bio
@JulianBerton is a Principal Security Engineer at SEEK, volunteer and founder of OWASP AppSec Day (appsecday.io) conference, chapter lead of the OWASP Melbourne chapter and sits on the Paper Review Board for BSides Melbourne and DevSecCon.

He also gives talks and publishes blogs to educate security and technology professionals. A few recent presentations have been at DevOps Talks, DevSecCon, OWASP Melbourne, TConf & NDC Sydney.

Sponsor

Special thanks to NAB for providing the venue and Snyk for the pizza!

Access

If you are locked out or having issues finding the place, email, Slack or Tweet us and we will guide you :)

• OWASP Slack - http://owaspslack.com (@hoodiePony, @jberton)
• Twitter - https://twitter.com/OWASPMelbourne