SecAppDev 2022 Lecture Details

Everything-as-Code - Ideas for a new world of AppSec

Abhay Bhargav
Tuesday June 14, 11:00 - 12:30
Short description

Showcasing techniques, tools and practices that underscore and highlight concepts of security-as-code for application security.

Abstract

With cloud-native, rapid-deployment micro-services, the way we deliver apps has changed forever. With scale and automation, AppSec and DevSecOps are undergoing a quiet transformation. In this session, we explore the various ways the "as-code" movement has changed AppSec, from access control to threat modeling; from identity to injection. We discuss how security-as-code aims to mitigate some persistent AppSec problems using plenty of demos and real-world anecdotes.

Key takeaway

Understanding decoupled security controls for microservice stacks and various approaches to implement security-as-code

Content level

Deep-dive

Target audience

AppSec professionals, cloud/cloud-native pros and practitioners, DevOps and DevSecOps professionals

Prerequisites

Basic knowledge of AppSec vulnerabilities and defenses, cloud/cloud-native technologies, and DevSecOps

Download handouts


Abhay Bhargav

Abhay Bhargav

CEO, AppSecEngineer

Abhay Bhargav is the Founder of we45 and AppSecEngineer. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security. Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, AppSecDay Melbourne, CodeBlue, BlackHat and so on.

Full speaker profile


Related security processes sessions

Hands-on threat modeling

One-day workshop by Sebastien Deleersnyder

This is a Threat Modeling course for DevOps Engineers to improve reliability and security of delivered software. We will teach an iterative and incremental threat modeling method.

You will perform threat modeling in 4 sprints. Exercises are built upon a fictional system, migrating a legacy system towards a cloud application:

  • Modeling a hotel booking web and mobile application, sharing a REST backend
  • Threat identification as part of migrating the system to AWS
  • AWS threat mitigations for the booking system build on microservices
  • Building an attack library for CI/CD pipelines

Security processes Thursday June 16, 09:00 - 17:00

Solid foundation for a secure future

Lecture by Jaya Baloo

How do we build a better future for information security? This session will discuss the importance of security, along with a path towards a more secure future.

Security processes Wednesday June 15, 16:00 - 17:15

Enterprise security architecture and app development

Lecture by Stefaan Van daele

Developing secure code is a good start, but what more could you do from security point of view? This session puts secure application development in the context of an Enterprise Security Architecture model and illustrates how these two processes interact.

Security processes Monday June 13, 11:00 - 12:30

Level up your threat modeling practice

Lecture by Sebastien Deleersnyder

We pulled together our threat modeling vision and strategy with OWASP best practices to create a 'Threat Modeling Playbook'. It shows you how to turn threat modelling into an established, reliable practice.

Security processes Tuesday June 14, 14:00 - 15:30

Persona-based security and threat-modeling

Lecture by Deepak Subramanian

The session will include a presentation about persona-based security leading to persona-based threat modeling. If time permits a small exercise would be held to do a persona-based organizational threat model.

Security processes Wednesday June 15, 14:00 - 15:30