Craig Dent
Senior Solutions Engineer - Snyk APJ
Sydney, Australia
Actions
Craig Dent works as a Senior Solutions Engineer for Snyk APJ, helping developers adopt cloud native technologies, while empowering them to stay secure.
He has 20+ years of experience working in senior presales, customer success and solutions architecture roles with global software vendors and start-ups, both proprietary and open source, delivering on-premise and cloud-based solutions. He provides technical and strategic advice with regard to security for public cloud, code, open source, IaC and container.
Area of Expertise
Topics
Can we (really) trust Developers to handle security?
To truly empower developers to find and fix vulnerabilities within their code, it's simply not enough for security teams to shift security tools even further left. If the tool still requires developers to interrupt their workflow to perform security-related tasks, it adds cognitive load. Developers often don’t have the time or resources to add another task to their already full plates.
This session talks about the 4 Key Principles of a Dev First Security Program:
1. Change in ownership
2. Designing for the developers
3. Bringing the cloud into appsec
4. Developing your champions
Policy at the Core: Infusing DevOps with Security
Abstract
Policy as Code in DevSecOps is about treating security and compliance policies with the same level of automation, integration, and version control as application code. Join our session for a discussion and real-world examples of how to use policy-as-code tools to speed up security testing, increase efficiency by removing manual policy enforcement, and minimise mistakes while enabling validation.
Outline/Structure of the Talk
Agenda:
- Background
- What are we trying to solve?
- Types of Application + Cloud Vulnerabilities
- Strategy at scale
- Putting it into practice
- Q & A
Learning Outcome
At the end of the session, attendees will understand why automating policy is critical to implementing a successful DevOps program. They will see how to use an open-source policy tool to write automated tests against structured configuration data, in order to enforce security in a build pipeline. Links to example configuration tests will also be provided.
Target Audience
DevOps Teams, Application Developers and Security Teams
Unsolved Problems in Application Security
Abstract
The discipline of AppSec has evolved tremendously since the founding of OWASP in 2001. As software development methodologies have advanced, AppSec has struggled to keep pace with innovation.
Some foundational issues, like reliable SCA, have now been solved by the industry. But certain thorny problems, like software attestation, risk-based prioritisation, SAST accuracy, and DAST correlation, remain elusive.
Join our session for a discussion of the current state of application risk management and the unsolved issues that still limit the full potential of developer-focused security.
Outline/Structure of the Talk
Agenda
1. Origins and Fundamental Challenges
- In the beginning..
- The Three Fundamental Challenges of AppSec
- Process: Event Horizon
- Technology: Emergent Complexity
- Different Sized Loops
- Where is security on the critical path?
2. Largely Solved Problems as of 2024
- Event Horizon: Accurate Dependency Resolution for SCA
- Emergent Complexity: Cloud-Native Application Asset Visibility
- Different Sized Loops: Shifting Test Responsibility to the Left
3. Exciting Near-Term Possibilities
- Event Horizon: Reachability Analysis from Runtime Signals
- Emergent Complexity: Attestable Software Lineage Artifacts
- Different Sized Loops: Shifting Meaningful Context and Fix Advice Left
4. Thorny Unsolved Issues
- Event Horizon: Correlation of Unlike Signals (Dynamic to Static)
- Emergent Complexity: Threat Modeling / Declarative Security "By Design"
- Different Sized Loops: Setting The Right Incentives (Turning Chickens into Pigs)
5. What's the Future of AppSec?
Learning Outcome
The common thread of all Application Security success is that Security is in the natural critical path of software engineering. The long term future of Application Security is changing the definition to finally address longstanding challenges.
Target Audience
Security Professionals and Application Developers
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top