SecAppDev 2023 lecture details
Secure defaults: developer-friendly security
We will go over the vision for secure defaults, and then discuss how we can improve processes, training and tools to support this approach. The advice in this session is backed by my research.
Monday June 12th, 14:00 - 15:30
Room West Wing
Download handoutsAbstract
Automation of security tools has made it possible to identify software vulnerabilities faster and earlier during development. Unfortunately, this evolution hardly shows any reduction in the prevalence of vulnerabilities. On average, a company hires only one security expert to help 75-200 devs fix the detected problems, making it evident that security is not just the expert's responsibility.
In this session, we explore how to make an impactful change. We investigate the processes, people, and technology involved and propose an approach to guarantee better software security throughout the SDLC.
Key takeaway
Security is no longer just the responsibility of the expert. Security training and tools should be adapted to fit a developer audience
Content level
Deep-dive
Target audience
Managers, developers, and security professionals
Prerequisites
None
Pieter De Cremer
Senior security researcher, Semgrep
Expertise: Application security, secure defaults, developer-focused security tools
Claudio Merloni
Security research manager, Semgrep
Expertise: Application security, secure development and static source code analysis
Related lectures
Building a secure Software Development Lifecycle
Introductory lecture by Avi Douglen in room West Wing
Monday June 12th, 11:00 - 12:30
How does an SDLC become a secure SDLC? In this session, we use real-world stories to identify and overcome challenges to integrate security into a development lifecycle. You will learn how to build and implement a high-value AppSec program.
Key takeaway: Learn how to initiate a software security program, manage the program on ongoing basis, keep it sustainable, and build stakeholder engagement and buy-in
Third-party library security management
Deep-dive lecture by Jim Manico in room West Wing
Wednesday June 14th, 14:00 - 15:30
Managing third party library dependence is one of the most difficult challenges in software development and requires significant process and technical discipline. This session offers actionable advice on getting this challenge under control.
Key takeaway: To handle third-party dependencies securely, you need to reduce the amount of libraries you use, vet the ones you use, and keep them up to date
OpenAPI: the common language of APIs
Deep-dive lecture by Isabelle Mauny in room Lemaire
Monday June 12th, 14:00 - 15:30
Understand how API contracts can be written in with the OpenAPI standard and leveraged across the API lifecycle, including for security.
Key takeaway: Learning about the power and extensibility of OpenAPI and its application across the API lifecycle.