
< session />
Tue, November 17 at 12:30 PM - 1:30 PM GMT+5:30TechLead
This talk tells the story of the implementation of an application security program in an agile, polyglot, cloud-first organisation.
With fast-moving teams, multiple programming languages and frameworks to support and an imperative to not slow down development, security engineering developed a distributed serverless event-oriented distributed architecture which orchestrates best-of-breed security tooling and makes results available to developers via the same tools they use as part of regular development activities, such as configuration management pull requests and Slack messages.
We go through the integration patterns for static application security analysis, software composition analysis, container security scanning and cloud compliance scanning, discussing the challenges specific to each tool and how the security engineering team was able to overcome or compensate for them.
We also discuss the collaborative approach taken in embedding security work in the same environment used by the rest of the development teams, allowing security engineers to understand the painful aspects of their proposed solutions and get feedback from developers. We will talk about how some tools were chosen in partnership with the development teams and how that helped with frictionless adoption.
Finally, we go through how making security metrics readily available and visible helped enable risk ownership by the development teams, shifting from a ""security approval"" to a ""security partnership"" approach to secure software delivery. This is demonstrated by increased development team engagement (particularly in earlier stages of the software development lifecycle), decrease in the number of security vulnerabilities and a much clearer perception of the technical risk and associated technical debt present in all software developed in the organisation.
< speaker_info />
Ulisses Albuquerque is an experienced developer with a passion for application security done using tools and processes which do not slow down delivery.
A long-term developer and open source advocate turned into a security professional, he utilises his experience to support development teams in building secure software via pre-approved and well maintained patterns and libraries, and by providing security metrics and checks as part of regular developer workflows such as pull requests and CI/CD hooks. He believes in symbiotic, empathetic relationships between security and application developers as a way to uplift security posture while avoiding saying "no" as much as possible.