The Secure Coding Virtual Summit is your source for everything you need to build secure code from the ground up. Learn how leading AppSec and DevSecOps practitioners, analysts, and visionaries avoid getting stuck at the top of the ferris wheel.
From among our many topics, attendees will learn:
• How to prevent supply chain attacks from code through production
• Why developers struggle with application security
• How to protect your open source projects and create a secure CI/CD pipeline & How remote work has influenced DevSecOps adoption
Growing usage of open-source software does not come without a price. The dependence of modern software on open source components opened the opportunity to exploit such software using the open-source components. This session should arm you with enough knowledge of the risks and countermeasures to avoid losing the race.
On July 8th, 2019, a bombshell 0-Day vulnerability was dropped on Zoom Inc that disclosed how anyone could maliciously join a victim’s Mac to a call with their video camera active simply by visiting a malicious website. Additionally, Zoom left behind a hidden daemon that would re-install the Zoom client after it had been uninstalled. It was later discovered that this “feature” could be abused to allow remote code execution. In this talk, I’ll discuss my communications with Zoom’s security team and the reasoning behind what led to my decision to resort to 0-Day disclosure. Additionally, we’ll walk through the post-disclosure timeline around how this vulnerability went from bad to worse, requiring the Apple security team to step in and use MRT to resolve this vulnerability.
Many organizations find it challenging, to determine who’s responsible for managing different security risks and for governing the methods and practices to remediate the open-source risks. Investing in industry-proven tools & leveraging the correct tools during the appropriate phases of the SDLC will allow an organization to implement a scalable and reliable open source governance framework, to reduce this risk and potential for compliance-related issues across the enterprise.
Shifting left significantly reduces costs and diminishes release delays. Continuous security validation should be added at each step from development through production to help ensure the application is always secure. We can then switch the conversation with the security team from approving each release to approving the CI/CD process and having the ability to monitor and audit the process at any time. In this session, Sonya will be focusing on work done with a Jamstack open source project and showing you how to create a secure continuous integration/continuous deployment pipeline. You’ll learn how GitHub Marketplace helped the team automating and improving their workflow with different tools around accessibility, code coverage, code review, code quality, security, compliance and other functionalities (ChatOps with Slack). You’ll also find out what OWASP is and how to improve the workflow for your own open source projects using GitHub Marketplace applications.
Recent supply chain attacks, along with the U.S. Executive Order on Cybersecurity, have raised the priority of software security. With all eyes on secure coding, how do you ensure proper depth and breadth of app sec testing? How do you meet development deadlines without slowing down for security? This talk will address how to best approach modern software security by automating your CI pipeline for simplicity, visibility, and control.
We’ve all heard the buzz around pushing application security into the hands of developers, but if you’re like most companies, it has been hard to actually make this a reality. You aren’t alone – putting the culture, processes, and tooling into place to make this happen is tough. Join StackHawk CSO Scott Gerlach as he shares his triumphs and failures while building DevSecOps practices and tools at companies such as GoDaddy, SendGrid, and Twilio. Dig into specific reasons why developers struggle with AppSec and what you can do to make it work better. Whether you’re a seasoned DevSecOps pro or just starting out, this will be an entertaining (and judgement-free!) talk you won’t want to miss.
We discuss recommendations and tools for credential and permission handling in your code running in AWS to facilitate least-access and least-privilege (including privilege bracketing), before looking into tools and techniques you can build into your CI/CD pipelines for code analysis, integrity assurance and penetration testing, and recommendations for how these pipelines can themselves have security checks incorporated in their automated build. We further examine some of the techniques used by AWS for modelling and formal verification of code, and how code builds and model validations can be synchronized.
Secure DevOps, DevSecOps, what do these words really mean for your organization? As we evolve to DevOps processes and start to break down the silos between different tribes, where does security fit in and why is it important? Join this session to find out:
* Why Secure DevOps is still important
* Why Changing culture is key
* Where to start, top tips from the field
As the world pivoted to remote and/or hybrid work environments, the practices and principles of DevSecOps have become more critical. Non-traditional work environments by their nature necessitate a stronger security awareness where security is truefully everyone’s responsibility optimized by automation and collaboration. In particular, developers now need to write, build, secure, deploy and potentially operate their code. This session will explore how a remote workforce has influenced enterprise adoption of DevSecOps from a people, process and automation perspective . The session will also be supported by data from DevOps Institute’s 2021 Upskilling report.