Reducing Friction Between AppSec and Development

Friction between Security and Developement can be very discuraging. It can go as far as becoming a risk factor. I have picked out a couple practical ways to reduce friction that I would like to share. These will also help you be more impactful.

Controlling Developers Minds Through First Principles and Engineering Models

Software Engineers don't care about your security principles. Some just want to get paid, some are obsessed with making. No matter what their motivation I will give tools to drive secure outcomes. This inception will infect every level of development, it is like hacking their mindset. I will explain why and how it works with some First Principle analysis. All of this framed as a mission to perform inception.

A Brush with Threat Modeling

What could go wrong? ...Oops! I almost gave it all away. Lets look at a couple of shockingly simple structured techniques for building more secure and higher quality software.

We discuss introduction of the four question framework, merge reviews, and secure habits around your business specific threat vectors.

The Model Application Security Program

To the non-Software Engineer, the development team may be a hard nut to crack. As security people, we scan all the things... but how do we go beyond vulnerability management? This will go over 20+ points of security engagement in the Software Development Lifecycle and strategies for effecting change.

We walk through common security activities in development and the types of tools that perform in those spaces using a full end-to-end model.

Give Your Security Program Traction

It is common for a security team to run multiple practices in parallel, each in it's own silo. Vulnerability Management is like juggling sand. This will be an introduction to Continuous Threat Exposure Management, a proactive approach to a prioritized security program.

This is a toolless intro to CTEM and how it approaches things differently from what you may be doing now.

Trust Boundary Ninja

There is a rumor that Web APIs are harder to build and secure than a traditional web app. However, traditional Web Apps can have the same issues. The key to safe apps is minding ALL the trust boundaries.

Targeted at development and threat modelers to help consider some of the overlooked and more complex trust boundaries.

Mastering Implicit Requirements

Let security and quality take a front seat through requirements unspoken. "As a logged in user" carries some baggage. We will discuss what is implied in stations that product management may overlook.

This is targeted at anyone involved in product requirements. We discuss questions to ask to make implicit requirements explicit tasks.

Code Secure Without Becoming a Hacker

The Security World is great at training pentesters by the dozens. This success has hidden the fact that the same approach does not work for training Software Engineers. This will cover how security emerges from engineering and how Security Assurance can optimally interact with developers without hindering developer velocity.

This is a concept I have been speaking on and developing for about 4 years. I start by sharing my experience bridging the gap betweeen engineering and security. Using a bit of first principles analysis we can see how developers should address security concerns, sometimes by extending existing practices with specific security intent. I will also show a generic webapp threat model and a security model based on ISO 25010 for our in-class conversation

Secure Dependency Management Primer

Dependencies are not talked about enough. Struggling to maintain them while maintaining stability is difficult. Now we have Security knocking at our door. How do we get to the next level and achieve an iterative flow?

This is a collection of thoughts from my experience in helping others manage dependencies in general and with an eye to security.

An Introduction to Securable Coding

You are working on code that needs to be secure, but you don't know where to start with security. We will cover the basics and where to go from there.

This session will cover basic Resilient Coding, the Securable Software Engineering Model (SSEM), secure logging, security requirements and Unit Tests for security.

Coding with Safe Vibes – Making Copilot write securable code

Move beyond hoping for secure outcomes and start engineering them, ensuring your AI-assisted development radiates 'safe vibes' and delivers robust, securable applications.

Objectives
1. Including security in your prompts
2. Include security in your context.
3. Make securable code a natural outcome, not an afterthought.

We go over the latest prompting methods, how to use context files to help and ways to tell if the code is secure with the audience participation. This is done live and using the latest GitHub Copilot tools in VS Code.