Application Security from the Inside Out
This talk tells the story of the implementation of an application security program in an agile, polyglot, cloud-first organisation.
With fast-moving teams, multiple programming languages and frameworks to support and an imperative to not slow down development, security engineering developed a distributed serverless event-oriented distributed architecture which orchestrates best-of-breed security tooling and makes results available to developers via the same tools they use as part of regular development activities, such as configuration management pull requests and Slack messages.
We go through the integration patterns for static application security analysis, software composition analysis, container security scanning and cloud compliance scanning, discussing the challenges specific to each tool and how the security engineering team was able to overcome or compensate for them.
We also discuss the collaborative approach taken in embedding security work in the same environment used by the rest of the development teams, allowing security engineers to understand the painful aspects of their proposed solutions and get feedback from developers. We will talk about how some tools were chosen in partnership with the development teams and how that helped with frictionless adoption.
Finally, we go through how making security metrics readily available and visible helped enable risk ownership by the development teams, shifting from a ""security approval"" to a ""security partnership"" approach to secure software delivery. This is demonstrated by increased development team engagement (particularly in earlier stages of the software development lifecycle), decrease in the number of security vulnerabilities and a much clearer perception of the technical risk and associated technical debt present in all software developed in the organisation.
You may also be interested in
Machine Learning with Distributed Computing are both relatively complex software architectures to wrap your head around. Through the years the...
At PayPal, SRE team troubleshoots production alerts (from ~2500 applications and services). There is always an inherent urgency in resolving...
In modern computer networks, time synchronization is critical because every aspect of managing, securing, planning, and debugging a network involves...