Scale Security by Embracing Secure Defaults and Best-practices for DevSecOps

To make the event more interactive, we are having the event on Discord. So join the VikingSec Discord via https://discord.gg/XCUja4Q.
Make sure to go to the #role-assignment and click the bee to get permissions to talk and write in the OWASP Copenhagen channels.

If you don't want to be on Discord - no problem! Both talks will be streamed to YouTube as usual! The link will be made public soon!

TALK 1 : Scale Security by Embracing Secure Defaults

We’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time. Historically, as an industry, we’ve focused on building tools to identify vulnerabilities. While we’ve built impressive tools, these approaches have failed to address the challenges of modern engineering teams. Specifically, these tools often are too slow, require a prohibitive amount of security engineer time and domain expertise to tune, overwhelm users with false positives, and most importantly, do not ultimately raise a company’s security bar. But there’s another way.

When done correctly, combining secure defaults and lightweight checks that enforce invariants (properties that must always hold), organizations can solve classes of vulnerabilities by construction, preventing bug whack-a-mole. In this talk, we’ll present a practical step-by-step methodology for:

• Choosing what to focus your AppSec resources on
• How to combine secure defaults + lightweight invariant enforcement to eradicate entire vulnerability classes
• How to integrate continuous code scanning into your CI/CD processes in a way that’s fast, high signal, and low friction for developers
• How to use an open source, lightweight security linting tool to find bugs and anti-patterns specific to your company

SPEAKER 1 :
Adam Berman
Lead Product Engineer at r2c
https://www.linkedin.com/in/adam-berman-75485829/
Adam Berman is lead product engineer for r2c. In this role, he focuses on building and scaling the semgrep application to make it intuitive, easy to use, and reliable. Previous to r2c, Adam led the engineering team for Meraki Insight at Cisco Meraki, using ML and AI techniques to identify and solve performance problems in networked applications. Adam holds an MS in Computer Science from the Georgia Institute of Technology and a BA in Philosophy from Dickinson College.

TALK 2 : Best-practices for DevSecOps

The presentation will show best-practices for DevSecOps (i.e. security part) and includes a case study about supply chain controls related to the Solarwinds incident.

SPEAKER 2:
Martin Clausen
Chief Security Architect, Head of Architecture, Research and Development at Saxo Bank.
https://www.linkedin.com/in/martin-clausen/

Photo: Vitor Padua, unsplash.com