Caroline Wong, Vice President of Security Strategy

Security does matter, and figuring out how to go about doing it can result in brain explosion. For example, the BSIMM has a list of 110+ security controls. What are the bare minimum security controls that should be in place for any DevOps organization

There are 3 main reasons why security matters for DevOps.
Reason #1: Sales / Acquisition. A potential customer or acquirer wants to know what the company is doing about security.
Reason #2: Press. The company wants to avoid negative press headlines resulting from a security breach. Let’s think about this for a moment, though. Isn’t the reason any company cares about press because it doesn’t want bad press to affect their sales or potential acquisitions? (See: Verizon and Yahoo). So perhaps we’re back to just one reason  –  sales.
Reason #3: Compliance. The company needs to comply with PCI, HIPAA, or another requirement in order to do business or meet a customer requirement. Sounds familiar? A primary reason for compliance is to avoid slowing down… sales.
Remember when Bill Gates wrote that company-wide memo to all the employees at Microsoft talking about Trustworthy Computing? Was that for a noble cause? I suspect it was because Microsoft was starting to get questions about its security, and it didn’t want security issues to get in the way of… you guessed it, sales.

So if sales matters to companies, and security matters for sales, how does a company get started when it comes to “doing” security?

Katy Anton, Application Security Consultant

Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence is to develop applications where security is incorporated as part of the software development life cycle.

How can developers write more secure applications? What are the security techniques they can use while writing the software that will help them produce more secure applications ?

This talk will present the main steps that will guide developers down the path of secure software. The presentation will describe each of the security controls that can be incorporated within software development life cycle and will provide real world examples on how to solve some of the most prevalent security problems on the internet.

Recommended to all builders and security professionals interested in incorporating security techniques as part of software development cycle and building more secure applications.

Jeff Williams, Co-founder & CTO

Security is so frustrating. Why can’t they just tell us what they need in advance instead of pointing out our mistakes after the fact. Why can’t security work the same way as quality, performance, etc… In this talk, Jeff will show you how to take control of security by turning it into code. He’ll provide real examples of how you can instrument your software for instant feedback on vulnerabilities during development and attacks in production — no scanning, no PDFs. He’ll also show how you can receive security alerts through the software toolchain you’re already using, just like any other kind of quality or performance issue. With continuous application security, you’ll fix issues early, before they get expensive. You’ll also be able to push code into production faster, without waiting for the security bottleneck. Security can be interesting and fun — let’s stop wrecking it!

Peter Chestna, Director of Developer Engagement

There just aren’t enough security experts to go around. You have to support the multitude of Agile and DevOps teams that are making production software changes anywhere from once a month to several times a day. The lack of resources coupled with the ever increasing responsibilities can make you feel like a rouge warrior in the battle against cybercrime. What’s a security professional to do? Whether you are a team of one or five, there aren’t enough hours in the day and even if there was more budget, good luck finding someone to fill that security role. What if I told you that through careful selection and good training it is possible to build your own army from the very people who own the development process?