Go Beyond DevSecOps to Continuous Security

This will be a discussion on the notion of Continuous Security and focused on principles and practices around this area, and especially at how it fits with DevOps and DevSecOps initiatives.

Abstract
Continuous. If you have been around DevOps for any length of time then you have heard this term. As in Continuous Integration, Continuous Build, Continuous Deployment, Continuous Delivery, Continuous Testing, Continuous Planning among others. Now we are living in a time when personal and data privacy matters more than ever, and so one "Continuous" is rising to the forefront: Continuous Security.

But what really IS Continuous Security? Is it simply a notion of running scans and tests as part of a pipeline and reporting vulnerabilities? We think it is much more then that. For years organizations have been good validating that applications perform the way they are intended to and do what they are supposed to do so that they can be relied upon. But today if is not enough for applications to just be functional - they must be trustworthy. Add in ever-growing regulations like GDPR, CCPA and CRPA and you'll find that if they are not trustworthy, you could face serious penalties or even charges. But how do you achieve and maintain trust? Security has to be of constant paramount importance. Which means, it's time Security to be continuous too.

We will start with a quick, short, brief view on the current thinking around DevSecOps and how this traditionally just focuses on adding security practices to pipelines. This is a great thing, but it is not enough.

We will then outline our view on Continuous Security and cover 6 key capabilities that we believe are paramount and we will illustrate key facts and ways to know if you are doing them well.

Finally we will illustrate in detail how these work capabilities work together and the benefits that can be realized.

The Road To A Security Evangelist

This session explores the road traveled from an undergraduate engineering degree through many software delivery roles to application security evangelism. It discusses key lessons learned along the way as well as things to avoid in a fun, reflective way. Meant to provide encouragement and ideas to those looking to get more into security.

DevOps Moves Pretty Fast. If You Don't Stop and Secure It Once In a While, You Could Miss It

Abstract:

Remember Ferris Bueller... Bueller... Bueller? Ferris woke up one morning saying "how could I be expected to handle school on a day like this?" and that begins a day filled with seeking adventure. Well trying to elegantly intersect security with DevOps these days can also leave us feeling a bit like Ferris did about high school that day. But it doesn't have to be. From the iconic opening scene, the infamous Mr Peterson call, Abe Froman - Sausage King of Chicago and more, Ferris provides us with key insights on the impact security can have. Join us as we borrow a few lessons from Ferris to see what we can do to move security from mundane to marvelous.

Avoiding Paranoia: Lessons learned from 3 years of podcasting

The Application Paranoia podcast has been in existing since 2020 and is now in its 4 season. We have had a variety of great guests on a wide range of topics and this session will share some of the best stories, moments and lessons learned along the way

Lessons learned from the application paranoia podcast. Could be done in variety of lengths from 15 to 60 minutes. Podcast can be found on all major platforms or appscan.buzzsprout.com

Building the Next Generation in Cyber

Today's challenges cannot be solved with yesterdays methods. There is a great need for skilled cyber professionals, but few entry-level jobs and places to learn. This session will talk about work I have done with several different universities (University of Southern California, University of Arizona, Arizona State University, and Grand Canyon University) to help in a variety of fashions. Particular attention will be given to work as part of the CHOPS (CyberSecurity Hands On Problem Solving) certification program at Arizona State, and to work done with USC related to their MBV program.

Lessons learned, best practices from work done with universities to address cyber skills gap and increase internship, apprenticeship and entry level hiring.