POLAND _ Test Army


Security Testing, The DevSecOps Way - Welcome To The Future!

Session type: 45 min talk

Session level: Intermediate

Waterfall is gone, and agile is here to stay. Plenty of people have heard about agile IT OPS, so-called DevOps, yet very few heard about successful implementation of DevSecOps. I want to share my experiences with implementing automated Static and Dynamic Application and Systems Security Testing. This is something that is being done by large and modern corporations such as Netflix, Facebook but lots of organisation lack the know-how of how to achieve automated security testing.

Plenty of people don't even believe in it, which is a shame because manual security testing is no longer practical in agile development world and I want to help them understand how to make their lives easier and quality of their software better.

Why? Because everyone deserves a security products and companies.

Key take-aways:

  • What is DevSecOps and how do you implement one in your company for better team's efficiency
  • Security automation is feasible and can be implemented at low cost.
  • The need for automated and agile security testing is a fact, not a a future anymore
  • Software engineers and SysAdmin should be as close to security as possible
  • External security teams and on-demand penetration testing don't scale
  • Why each organisation needs internal security processes AND penetration tests AND bug bounty programs
  • What tools can be used to get yourself started

Started out as a sysadmin/programmer and moved to offensive side of security to hack stuff. Accomplished quite a lot on offensive side and bug bounties, but that wasn't fulfilling enough to switched gears and became a security engineer to make world a safer place. Believed into DevSecOps before it became a big thing and worked on incorporating it into engineering culture at Egnyte. Became a Security Architect and Manager to lead all security strategies at Egnyte and to secure the organisation top to bottom.

On a side sharing knowledge with the community so that everyone can benefit from my experience. By end of Q1 2018 published a book on empathetic leadership, specifically explaining how it can be used to successfully lead a corporate security programme. Spend whole 2018 documenting his managerial journey and open sourcing lots of tools and other resources thanks to which other organisations can build their security from scratch and learn how to apply DevSecOps in real life. By end of 2018 gotten back to the roots which is offensive security with intent to stay there for a while and multiple the count of over 3000 bugs found in previous roles.