Scale Your Security by Embracing Secure Defaults & Eliminating Bug Classes, Redo скачать в хорошем качестве

Scale Your Security by Embracing Secure Defaults & Eliminating Bug Classes, Redo

Abstract: We’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time. Historically, as an industry, we’ve focused on building tools to identify vulnerabilities. While we’ve built impressive tools, these approaches have failed to address the challenges of modern engineering teams. Specifically, these tools often are too slow, require a prohibitive amount of security engineer time and domain expertise to tune, overwhelm users with false positives, and most importantly, do not ultimately raise a company’s security bar. But there’s another way. Rather than investing in finding more bugs, some modern security teams are instead focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks that enforce invariants (properties that must always hold), organizations can solve classes of vulnerabilities by construction, preventing bug whack-a-mole. In this talk, we’ll present a practical step-by-step methodology for: Choosing what to focus your AppSec resources on How to combine secure defaults + lightweight invariant enforcement to eradicate entire vulnerability classes How to integrate continuous code scanning into your CI/CD processes in a way that’s fast, high signal, and low friction for developers How to use an open source, lightweight security linting tool to find bugs and anti-patterns specific to your company Bio: Grayson Hardaway is a security researcher at r2c, a startup working on static analysis tools purpose-built for the modern workflow. At r2c, Grayson authors static analysis tailored for finding security vulnerabilities in open source code. Previously, Grayson worked for the US Department of Defense fuzzing and exploiting obscure protocols. When not submitting patches, Grayson is hefting a heavy pack uphill, crafting guitar solos, or learning something new: currently woodworking