Application Security from the Inside Out

Duration: 50 mins
Ulisses Albuquerque
Security Engineer, Latitude Financial Services

This talk tells the story of the implementation of an application security program in an agile, polyglot, cloud-first organisation.

With fast-moving teams, multiple programming languages and frameworks to support and an imperative to not slow down development, security engineering developed a distributed serverless event-oriented distributed architecture which orchestrates best-of-breed security tooling and makes results available to developers via the same tools they use as part of regular development activities, such as configuration management pull requests and Slack messages.

We go through the integration patterns for static application security analysis, software composition analysis, container security scanning and cloud compliance scanning, discussing the challenges specific to each tool and how the security engineering team was able to overcome or compensate for them.

We also discuss the collaborative approach taken in embedding security work in the same environment used by the rest of the development teams, allowing security engineers to understand the painful aspects of their proposed solutions and get feedback from developers. We will talk about how some tools were chosen in partnership with the development teams and how that helped with frictionless adoption.

Finally, we go through how making security metrics readily available and visible helped enable risk ownership by the development teams, shifting from a ""security approval"" to a ""security partnership"" approach to secure software delivery. This is demonstrated by increased development team engagement (particularly in earlier stages of the software development lifecycle), decrease in the number of security vulnerabilities and a much clearer perception of the technical risk and associated technical debt present in all software developed in the organisation.

You may also be interested in

25 mins
How (not) to Scale Elasticsearch for Data Analytics!

Search is ubiquitous - From booking a cab on Ride sharing platforms to searching for a job on LinkedIn, Elasticsearch...

50 mins
Ripped Machine Learning with Distributed Computing

Machine Learning with Distributed Computing are both relatively complex software architectures to wrap your head around. Through the years the...

25 mins
AI Powered Root Cause Analysis for Production Alerts

At PayPal, SRE team troubleshoots production alerts (from ~2500 applications and services). There is always an inherent urgency in resolving...

25 mins
Time Synchronization using ML Techniques in Electronic Trading

In modern computer networks, time synchronization is critical because every aspect of managing, securing, planning, and debugging a network involves...

50 mins
Machine Learning Platforms

Machine Learning is clearly here to stay. While it is a far cry from actual Artificial Intelligence, it provides many...

180 mins
Data Science with Groovy

Groovy is a powerful multi-paradigm programming language for the JVM that offers a wealth of features that make it ideal...