Reducing Friction Between AppSec and Development

Friction between Security and Developement can be very discuraging. It can go as far as becoming a risk factor. I have picked out a couple practical ways to reduce friction that I would like to share. These will also help you be more impactful.

Controlling Developers Minds Through First Principles and Engineering Models

Software Engineers don't care about your security principles. Some just want to get paid, some are obsessed with making. No matter what their motivation I will give tools to drive secure outcomes. This inception will infect every level of development, it is like hacking their mindset. I will explain why and how it works with some First Principle analysis. All of this framed as a mission to perform inception.

Give Your Security Program Traction

It is common for a security team to run multiple practices in parallel, each in it's own silo. Vulnerability Management is like juggling sand. This will be an introduction to Continuous Threat Exposure Management, a proactive approach to a prioritized security program.

This is a toolless intro to CTEM and how it approaches things differently from what you may be doing now.

Trust Boundary Ninja

There is a rumor that Web APIs are harder to build and secure than a traditional web app. However, traditional Web Apps can have the same issues. The key to safe apps is minding ALL the trust boundaries.

Targeted at development and threat modelers to help consider some of the overlooked and more complex trust boundaries.

Code Secure Without Becoming a Hacker

The Security World is great at training pentesters by the dozens. This success has hidden the fact that the same approach does not work for training Software Engineers. This will cover how security emerges from engineering and how Security Assurance can optimally interact with developers without hindering developer velocity.

This is a concept I have been speaking on and developing for about 4 years. I start by sharing my experience bridging the gap betweeen engineering and security. Using a bit of first principles analysis we can see how developers should address security concerns, sometimes by extending existing practices with specific security intent. I will also show a generic webapp threat model and a security model based on ISO 25010 for our in-class conversation

Secure Dependency Management Primer

Dependencies are not talked about enough. Struggling to maintain them while maintaining stability is difficult. Now we have Security knocking at our door. How do we get to the next level and achieve an iterative flow?

This is a collection of thoughts from my experience in helping others manage dependencies in general and with an eye to security.

Coding with Safe Vibes – Making Copilot write securable code

Move beyond hoping for secure outcomes and start engineering them, ensuring your AI-assisted development radiates 'safe vibes' and delivers robust, securable applications.

Objectives
1. Including security in your prompts
2. Include security in your context.
3. Make securable code a natural outcome, not an afterthought.

We go over the latest prompting methods, how to use context files to help and ways to tell if the code is secure with the audience participation. This is done live and using the latest GitHub Copilot tools in VS Code.