APJ: 12pm – 4pm AEDT  | Europe: 10am – 2pm GMTAmericas: 11am-3pm ET

DEVSECOPS IN 15MIN OR LESS!

Join us at DSC⚡️ for a virtual, action packed afternoon of back to back lightning talks covering all things DevSecOps.

Besides the lightning talks delivered by well-known pros, be prepared for interactive panel discussions with our speakers, awesome MCs and a number of virtual networking activities.

Grab your ticket now

Agenda

APJ: 12pm – 2pm AEDT  | Europe: 12pm – 2pm GMT | Americas: 12pm – 2pm ET

APJ

12:00 PM AEDT
Welcome & Kick off 
12:05 PM AEDT
Vandana Verma
Getting to know the Unknown space
Modernisation the applications is the need of the hour. However, we still see the vulnerabilities like SQL Injection, Sensitive data exposure, and much more that keep creeping in. When the loopholes in applications (such as legacy, desktop, web, mobile, micro services) are exploited, it can give threat actors visibility and access to the organisation’s data.
As per one of the research 96.8% code on the internet is OpenSource. When Open Source is eating up the whole internet. It becomes imperative to know the aspects of the open source’s usage, if the open source libraries are not used properly or updated on time, open source can make the applications severely vulnerable. With the talk, we will find the hidden threats with open source projects and will try and see how we can find before someone else finds it.
Vandana Verma Sehgal – Snyk, Security Relations leader
12:35 PM AEDT
Software Bill Of Materials in Buildpacks
The Cloud Native Buildpacks (buildpacks.io) specification addresses a key area of software security, namely the Software Bill of Materials (SBOMs). In this talk, I will demonstrate an implementation of the Buildpacks spec – Paketo – which will provide a detailed SBOM as part of the container image build process. The workflow outlined in the talk/demo will showcase a means to improve the security posture of container images in many ways – but the focus will lie on the SBOMs.
Key takeaway: Security teams and/or security-focused teams will find a way to create SBOMs with little-to-no effort.
Ram Iyengar – Developer Advocate at the Cloud Foundry Foundation
12:55 PM AEDT
Demystifying CTI in DevSecOps
Threat Intelligence is one powerful domain for collecting information and using it for actionable and evidence based security. It is often associated with pentesting and incident response but it is useful to know how it can play a significant role in DevSecOps. This talk will focus on exploring the integration of CTI and DevSecOps.
Aastha Sahni – Lead CyberSecurity Instructor at Flatiron School | Founder CyberPreserve & Lean In Breaking Barriers Circl
01:15 PM AEDT
Tanya Janca
Building Security Champions

With security teams being vastly outnumbered many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions; How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them?

This session will teach you;
• How to attract the right people to your program
• What and how to train them
• How to engage them, and turn them into security advocates
• What do delegate and what NOT to delegate
• What to communicate, how often and to who
• How to motivate them
• How to build an AMAZING security champion program

Tanya Janca – Founder & CEO at We Hack Purple Academy!
01:35 PM AEDT
How to lose 500k in 5minutes

Ever made a mistake so big it cost you 500k? Randall has! In this lightning talk, Randall will explain how he single-handedly lost 500k due to sloppy engineering practices and why he’s now a DevSecOps fanatic

Randall Degges – Head of Developer Relations & Community at Snyk
01:55 PM AEDT
Avoid common cryptographic failures, so your data doesn’t get jacked

Most sensitive data exposure incidents are commonly caused by the poor implementation of cryptography and key management, rather than weak encryption algorithms. This talk will explore some of the common causes of cryptographic failures, the attack scenarios that exploit them, and practical measures you can to avoid them.

Howard Poston – Security Advisor at Ubiq Security
02:15 PM AEDT
Break

Grab a coffee and join us in 15 minutes for more amazing content

02:30 PM AEDT
Stopping the Security Groundhog

The Security Groundhog is someone who, like the US holiday animal, pops their head out of the ground at the last minute to test the weather. If the groundhog sees their shadow, it means four more weeks of development for your team. Let’s talk about how to keep this animal at bay and ship on time.

Erik Costlow – Editor, InfoQ Java queue
02:50 PM AEDT
How to enable data protection without reducing agility

Data protection is mandatory for apps with growing privacy requirements and need to provide customer assurance. Customers that 1 of 2 approaches both of which reduce your agility. One, they enable disk/storage encryption as part of their cloud platform such as S3 encryption. Two, they allow their developers to enable encryption themselves. What are the problems with these approaches and what should good data protection look like?

Charles Ho – APAC Business Development at Ubiq Security
03:10 PM AEDT
Leveraging Github actions for DevSecOps

Github offers the CI/CD service through Github actions. Developers use Github actions to perform the Continuous integration and the ops team uses the Github action for the Continuous Deployment. In this talk, we will see how the security team can use the Github actions to improve the security of the application using the Github actions. In this talk, we will learn about how to perform SCA, SAST, and DAST using GitHub actions. By end of the talk the attendees will learn about the basics of the Github actions and how to automate security using Github actions

Joshua Jebaraj – Associate Security Researcher at we45
03:30 PM AEDT
Why SECDEVOps is the new way in
Cybersecurity?
“Development” and “Deployment” are 2 integral parts of CI/CD Pipeline which constitutes continuous integration, delivery, and deployment.
But we have made Security as optional or bring it up at a later stage.
SecDevOps make sure that your security posture, and mechanisms are integrated as early as possible to make sure that we are not deploying application with vulnerabilities.
That’s the whole idea of SecDevOps.
Want to be secure from the start? opt for SecDevOps
Saman Fatima – Data Engineer at Macquarie Group
03:50 PM AEDT
That’s a wrap

Join us in 5 hrs when we kick off the EMEA arm of DSC⚡️

Europe

10:00 AM GMT
Welcome & Kick off 
10:05 AM GMT
Know thy neighbours: dependency management done right
Modern application development is heavily dependent on third-party libraries. When looking at an average project, the amount of your code can be as little as 1%. As we do care a lot about the code we write, how do we augment this on the packages we depend on? Let’s look at best practices on how to build a proper dependency management strategy. How to pick dependencies, update them, and clean out manifest files with tons of dependencies. And maybe even more important, what happens if we are not on top of this?
Brian Vermeer – Senior Developer Advocate at Snyk
10:35 AM GMT
Surviving the NGINX Ingress CVE-2021-25742 through Codified Security: Live exploitation demo and mitigation.
CVE-2021-25742 was announced on October 21st with some of the top experts in Kubernetes security engaging immediately in discussions around its seriousness, and policy as code solutions to prevent exploitation. In short, the vulnerability was related to the fact that users with limited access to a Kubernetes cluster, but with the ability to create an Ingress object based on the NGINX Ingress Controller had the ability to elevate privilege and access full cluster secrets. The reality is that this exploitation could go far beyond that initial assessment. In this talk I’ll explain the problem and show example exploits followed by what we at Bridgecrew, have added to Checkov (referencing other solutions such as OPA) to create automated preventative measures to ensure Kubernetes clusters with NGINX Ingress do not fall victim to this vulnerability.
 Steve Giguere – Developer Advocate at Bridgecrew
10:55 AM GMT
Are We Forever Doomed By Software Supply Chain Risks?

The adoption of open-source software continues to grow and creates significant security concerns for everything from software supply chain attacks in language ecosystem registries to cloud-native application security concerns. In this session, we will explore how developers are targeted as a vehicle for malware distribution, how immensely we depend on open-source maintainers to release timely security fixes, and how the race to the cloud creates new security concerns for developers to cope with, as computing resources turn into infrastructure as code.

Liran Tal – Director of Developer Advocacy at Snyk
11:15 AM GMT
Why developers should take care of cloud infrastructure drift

Infrastructure as code is getting increasingly popular and used by developers to deploy and manage cloud resources. But are we sure it’s enough to cover everything that changed or was created outside of the expected process? Let’s talk about drift and what to do about it as developers.

Stephane Jourdan – Senior Product Manager at Snyk, driftctl creator
11:35 AM GMT
Clean and Secure Infrastructure as Code

The clean code and secure design principles are well-known in modern, agile software development. But what has become the default for our business code, unfortunately by no means applies to our infrastructure code. Instead, we find badly crafted and insecure code that has been developed using a trial and error approach. However, for modern cloud based systems the infrastructure code plays a crucial role. So it’s about time we begin to treat it as a 1st class citizen!
In this talk we briefly highlight useful patterns, practices, tools and frameworks that help to craft clean and secure infrastructure as code.

Mario-Leander Reimer – Principal Software Architect at QAware GmbH
11:55 AM GMT
Container defaults are a hacker’s best friend

Just because you’ve containerized your application, it doesn’t mean hackers aren’t still exploiting it. Containers are not a silver bullet, you still have to harden against exploits. In this lightening talk I’ll show you how default settings in your cluster make life easier for bad-actors and how some simple mitigation efforts can protect you from many types of attacks.

Eric Smalling – Senior Developer Advocate at Snyk
12:15 PM GMT
Break

Grab a coffee and join us in 15 minutes for more amazing content

12:30 PM GMT
Empowering the Modern SOC

Organizations are dealing with distributed employees and the challenges that come with it, but the biggest shift for many organizations is empowering their now distributed SOC teams. This session is intended to enhance current threat hunting skill set of organizations and ensure teams are equipped to detect and respond even in a remote world. 

Neha Dhyani – Sr Security Consultant at VMware Carbon Black
12:50 PM GMT
A Deep Dive Into Kubernetes Schema Validation

How do you ensure the stability and security of your Kubernetes clusters? How do you know that your manifests are syntactically valid? Are you sure you don’t have any invalid data types? Are any mandatory fields missing? Most often, we only become aware of these misconfigurations and security flaws at the worst time – when trying to deploy the new manifests.

In this talk, we will review how to overcome this challenge with OSS tooling that can be integrated seamlessly into your deployment process.

Shimon Tolts – CEO & Co-Founder at Datree, AWS Community Hero
1:10 PM GMT
Josh Grossman
Count up from zero day – when a critical vulnerability takes you by surprise

If an unpatched vulnerability is released but nobody notices, is it still exploitable? Spoiler alert, it most definitely is. This is a story about a 3rd party vulnerability affecting a product I am involved in. I’ll talk about the absurd way we found out about it, the confusion following the initial release, how we cut through that to take action and what questions remained unanswered afterwards. For breakers, this should be a useful overview of what it actually takes to remediate vulnerabilities in the field and important points to consider when reporting/disclosing vulnerabilities. For everyone else, there are lessons to learn on how to more proactively engage researchers, how to deal with 3rd party vulnerabilities and you can enjoy/empathize with a story about someone else having a bad day.

Josh Grossman – Head Of Security Services at AppSec Labs
1:30 PM GMT
Introduction to behavior analysis

Through this talk, I aim to show you how we can achieve that, by implementing behavior analysis on kubernetes at our application level (and not only). Main takeaways from this talk will be learning what exactly is behavior analysis, benefits you can leverage implementing it and a real-world example of implementation.

Rachid Zarouali – Freelance Cloud Architect / sevensphere
1:50 PM GMT
That’s a wrap

Join us in 2 hrs when we kick off the America’s arm of DSC⚡️

Americas

11:00 AM ET
Welcome & Kick off
11:05 AM ET
Keynote Panel – Shifting left isn’t enough – why there’s much more to achieving Dev-first security
We’ve seen and heard plenty when it comes to shifting left, but what happens when you want or have to take your security even further? Where do you go and how do you get there? Sonya Moisset, DJ Schleen, and Waleed Arshad’s keynote panel is here to get you to your destination as quickly and safely as possible!
DJ Schleen Vice President, Infrastructure and Developer Operations at VillageMD
Sonya Moisset Principal Security Engineer at Photobox
Waleed Arshad – Community Manager at Snyk
11:35 AM ET
The OWASP Top Ten 2021 Release

The OWASP Top 10 is a standard awareness document for web developers and web application security professionals. It represents a broad consensus about the most critical security risks to web applications. As software developers author code that makes up a web application, they need to embrace and practice various secure coding techniques. This talk provides a review of the OWASP Top Ten from a defensive perspective to aid developers in pursuing secure software. The OWASP Top Ten 2021 includes:

A01:2021-Broken Access Control
A02:2021-Cryptographic Failures
A03:2021-Injection
A04:2021-Insecure Design
A05:2021-Security Misconfiguration
A06:2021-Vulnerable and Outdated Components
A07:2021-Identification and Authentication Failures
A08:2021-Software and Data Integrity Failures
A09:2021-Security Logging and Monitoring Failure
A10:2021-Server-Side Request Forgery

Jim Manico – CEO and Application Security Educator at Manicode Security
11:55 AM ET
AppSec: A brief history

Journey through a brief history of web application security to better understand where we might be going next.

Ken Johnson – Staff Application Security Engineer at Github
12:15 PM ET
Encrypting Data So Even Your DBA Can’t Get It

Encrypting data at rest through disk- or database-level encryption isn’t good enough; your DBAs, DBEs, and anyone with privileged access can still get to it. Learn how application-layer encryption solves this problem by allowing your applications to encrypt the data before it gets to its resting place – without having to change your data structure or touch your database. You’ll come away with a new appreciation for why disk/platform-level encryption isn’t good enough, how application-layer solves that problem, and how you can integrate it into your applications.

Sam Craig – CTO at Ubiq Security
12:35 PM ET
How to Influence Developers The Right Way: A Security Team Story

Join us as we explore how to close the gap between Security and Software Engineering teams. Attendees will learn how to facilitate and reward engagement with their security teams. By closing this rift, Developers are able to confidently go fast and far knowing they have done right by security. The benefits for the SDLC and team morale are immense. It is time to start working together.

Kyle Suero Senior Security Advocate at Snyk
12:55 PM ET
How to report a vulnerability: Responsible Disclosure for Developers

Ever seen a security-related issue that you felt should be reported? Unsure of how reporting security issue is different than a regular bug? Developers of any level should know how to report a vulnerability. In this talk, we will talk about what CVEs are, some general vulnerability classifications, look at a few common ways you can report security issues, as well as look at a few common mistakes. This talk is geared toward non-security professionals.

Brian Demers Developer Advocate at Okta
1:15 PM ET
Break

Grab a coffee and join us in 15 minutes for more amazing content

1:30 PM ET
Seth Law
TLDR; Secure Code Reviews

There isn’t any getting around it, manual secure code reviews are hard. But there is hope! By following a defined methodology and process, any code base is approachable. Join Seth for some quick tips and strategies to identifying security issues in code gleaned over a decade of performing secure code reviews.

Seth Law – Principal Consultant at Redpoint Security, Inc.
1:50 PM ET
James Wickett
Tales from the VOID

What if the metrics and processes we use everyday to track availability and reliability are incorrect? We’ve gathered almost 2,000 public incidents and outages and created the VOID (Verica Open Incident Database) at https://thevoid.community. The VOID makes public software-related incident reports available to everyone in order to make the internet a more resilient and safe place. After deep-diving into these incidents, we discovered some counterintuitive findings that will change how you handle availability, reliability, and security incidents in your organization. Join the research team behind the VOID in this talk and see where the project is headed next.

James Wickett –  Head of Research at Verica
Courtney Nash – Senior Research Analyst at Verica
2:10 PM ET
Blasting Browser Security with Extensions

In this talk, Micah gives an overview of how browser extensions work and the web-ext tool for creating extensions that work in both Google Chrome and Mozilla Firefox. He then shows how to debug and test extensions locally as well as how to package them up for distribution. The talk culminates with a real-time attempt to get an extension with an over-powered list of permissions listed on the Chrome Web Store and the Firefox Browser Add-ons Store.

Micah Silverman – Director, Dev[eloper|Ops|SecOps] Acceleration
2:30 PM ET
Don’t Panic: Humane Incident Management

Incident Management is a stressful workflow. In this short talk, I will share strategies and tactics I’ve used to successfully collaborate on incidents to help broaden institutional knowledge and empathy, while learning from complex systems failing to improve organizations’ sites and services.

Joshua Timberman – Head of Advocacy and Community at Allma
2:50 PM ET
That’s a wrap

Join us in 2 hrs when we kick off the America’s arm of DSC⚡️

Speakers

Aastha Sahni
Brian Demers
Brian Vermeer
Charles Ho
Courtney Nash
DJ Schleen
Eric Smalling
Erik Costlow
Howard Poston
James Wickett
James Wickett
Jim Manico
Josh Grossman
Josh Grossman
Joshua Jebaraj
Joshua Timberman
Ken Johnson
Kyle Suero
Liran Tal
Mario-Leander Reimer
Micah Silverman
Rachid Zarouali
Ram Iyengar
Randall Degges
Sam Craig
Saman Fatima
Seth Law
Seth Law
Shimon Tolts
Sonya Moisset
Stephane Jourdan
Steve Giguere
Tanya Janca
Tanya Janca
Vandana Verma
Vandana Verma Sehgal
Waleed Arshad
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.