SESSION + Live Q&A
Speed The Right Way: Design and Security in Agile
“Blame the programmer” was an emerging theme in the security breaches of the last year placing coders and “their bugs” squarely in the security spotlight. But what is upstream of implementation bugs of causing these security issues? Application architecture and design. Effective application design is critical to application security. However, in many agile software groups, design and design processes are de-emphasized in favor of velocity metrics and developer productivity. The result is a perception of effectiveness that conceals a debt of security-related design flaws. By shifting security “left" (aka. earlier in the application development process) development teams are responsible for clear communication of design choices that impact security to security stakeholders, or risk costly rework.
In this talk, we will discuss the renewed focus of software design process and code complexity in software security. We will discuss specific breaches and how design decisions have contributed to those events. We will describe how design review can be modernized to help improve application security. And finally, we will discuss how to do design reviews right and elevate the quality of security design review conversations for technical and less-technical stakeholders.
Speaker
Kevin Gilpin
Enterprise Software Engineer
Kevin Gilpin is an enterprise software engineer with over 20 years of experience spanning various industries including healthcare, automotive, logistics, and life sciences. He was recently CTO of Conjur, then CyberArk Fellow following the acquisition of Conjur by CyberArk in 2017. He is a pioneer...
Read moreFind Kevin Gilpin at:
From the same track
A Continuation of Devops: Policy as Code
Organisations large and small are embracing devops and agile practices and transforming themselves into software companies. As part of that movement many organisations have embraced infrastructure as code, the idea that rather than systems administrators managing...
Gareth Rushgrove
Product Manager @Docker
Securing Services Using SSO
As BuzzFeed transitioned to microservices it needed to secure a growing number of internal tools. Our first solution was an open source auth service deployed in front of each app, but this approach had a number of scaling issues. The talk will discuss sso, our open-source, homegrown, centralized...
Shraya Ramani
Software Engineer @BuzzFeed
The Evolving Practice of Security
As technology has evolved from on-premise data centres to cloud native systems, the practices of managing that technology has evolved giving us benefits like continuous integration and deployment and configuration as code and cloud orchestration platforms. But security practices have generally...
Michael Brunton-Spall
Independent Security Consultant, previously Deputy Director for Technology and Operation, & Head of CyberSecurity of Government Digital Service
The Three Faces of DevSecOps
DevSecOps is the buzzword du jour in the world of security. Organisations increasingly understand that if you transform development and embrace DevOps, you must transform security as well. Failing to do so would either leave you insecure, or make your security controls negate the speed you aimed...
Guy Podjarny
Co-founder @SnykSec, previously CTO @Akamai