AppSecCon 2022

Application security operations tend to be difficult to scale and can be painful. Application development has changed radically: From waterfall to Agile development and from monolithic application architecture to microservices and software delivered at the edge. Software development is growing exponentially and the speed at which software is created has also accelerated dramatically. We have accelerated from yearly releases to multiple releases every week or, in some cases, every build. However, approaches to application security have not transformed to keep pace. Application security professionals increasingly find themselves falling behind—and many are forced to piece together manual reporting and workflows across siloed security tools as stopgaps.

In this presentation you will learn:

• How to identify the source of AppSec chaos and how to bring order to it
  ‍
• Challenges in scaling AppSec programs and how to overcome them
  ‍
• Why visibility and automation are very important for scaling AppSec

Securing software in a world moving at the speed of DevOps is a monumental challenge. To take this challenge head-on, more than 25 innovative security leaders came together to build a community and create the Purple Book. This free resource documents current software security challenges and approaches that work with the goal of helping people and organizations everywhere work toward simplifying security while staying protected and compliant.

In this panel discussion you will learn:

• The importance of community and how Purple Book helps coalesce and document security expertise
  ‍
• Overview of the Purple Book chapters
  ‍
• The future for Purple Book and its community and how to get involved

Zero-trust has recently come into focus as a powerful tool to combat the recent explosion of cybersecurity attacks. However, developers new to the concepts and framework are left with more questions than answers: What does the death of “trust but verify” mean for developers? How does zero-trust relate to DevSecOps? How can developers work within a zero-trust zero-trust framework while still maintaining agility and flexibility? Join this session to get these questions answered and more.

In this session you will learn:

• The what, why and how of zero-trust in DevSecOps
  ‍
• How to set up zero-trust DevSecOps in your organization
  ‍
• How to create a holistic zero-trust DevSecOps strategy that doesn’t slow down development or release timelines

Security is the hottest topic in application development; it is literally headline news. The job market is ‘hot’ and companies in all industries are hiring cybersecurity professionals. In order to seize this opportunity, how do you maximize your impact? An important part of making headway in this new space is building your personal brand. Your brand will help you stand out from the crowd and open up new opportunities and career paths. Start building that AppSec brand today.

In this session you will learn:

• How to become a security thought leader, externally and within your organization|
  ‍
• How to measure and communicate your successes
  ‍
• How to get involved in the industry and broaden your network

For an AppSec program to be successful, it needs to be operationalized. This means the solution provides the necessary visibility, collaboration and productivity with tangible results. The question then becomes whether to build or buy. Is it worth building and maintaining your own AppSecOps platform? Or is a prebuilt vendor solution more cost-effective?

In this panel discussion you will learn:

• The importance of an AppSecOps platform for scaling your AppSec program
  ‍
• Critical capabilities needed in an AppSecOps platform
  ‍
• Tradeoffs between build versus buy and how to make the right choice for your organization

Most SaaS service providers have adopted a microservices-based architecture with an API-first approach. Engineering and product leaders mandate that teams innovate at a rapid pace to keep up with hypergrowth. To keep up, development teams have embraced Agile methodology for product development and have adopted DevOps and DevSecOps practices. DevSecOps seeks to shift security left in the development cycle and, in this presentation, we will talk about practical approaches for making DevSecOps successful. We will discuss all the security and compliance controls that need to exist in a typical CI/CD environment both from a process and tooling perspective. Our talk will address these challenges both from engineering and security perspectives.

Whether you have SOC2, HIPAA, GDPR, PCI or ISO requirements for application development,  governance, risk and compliance (GRC) is an essential practice for your organization. You literally can’t ship without compliance, a large undertaking with serious budget and schedule implications. Software organizations struggle with scaling and managing GRC while also modernizing their development pipeline with Agile and DevOps and Cloud deployment.

In this panel discussion you will learn:

• The challenges of applying GRC to a modern software development process
  ‍
• Core elements of any scalable GRC practice
  ‍
• How to collaborate across teams to ensure continuous compliance

The modern approach to software delivery changed from annual releases on dedicated hardware to monthly, daily or even continuous releases deployed on dynamically created and configured containers in the cloud. To keep pace with this rapid and dynamic nature of modern software delivery, the approach to vulnerability management has to change. The focus can no longer be on infrastructure and perimeter defense;, consideration is needed for the application and rapid release schedules.  There needs to be a holistic view of vulnerability management that spans infrastructure and applications.

In this session you will learn:

• Unify infrastructure and application security vulnerabilities to get a 360-degree view of your security posture
  ‍
• Leverage correlation of findings across security tools and automation to scale the impact of your security team
  ‍
• Coordinate and collaborate across appsec and development teams to reduce remediation times

The quest to identify and address risks in someone else's software product is not for the faint-of-heart! It requires close coordination, cooperation and, ultimately, consent from your business partners - both inside and outside of your organization. How do we standardize an approach to managing software supply chain risks that is both reasonable and fair to our suppliers - and business units that rely on them - without compromising on security and exposing our organization to unacceptable risks?

In this session you will learn:

• How to achieve and formalize internal consensus about your organization's risk
  tolerance for third-party software
  ‍
• How to tailor diligence approaches appropriate for that level of risk tolerance
  ‍
• How to avoid the traps of exceptions and risk acceptances

The recent Log4Shell and other Log4j vulnerabilities shook the industry. Security teams and developers around the world have been scrambling to respond as quickly as possible. Despite this response, the impact of these vulnerabilities will be felt for years. Log4j isn’t the first significant zero-day vulnerability, nor will it be the last. An important step for improving your security posture is learning how to prepare for the inevitable, the next black swan event, and ensure your organization is able to respond fast and respond well.

In this panel discussion you will learn:

• Personal experiences responding to Log4j
  ‍
• Challenges and successes across the industry
  ‍
• How to prepare for the next zero-day attack

A successful AppSec program begins with the realization that security is, first and foremost, a people problem. Tools and processes don’t improve security alone. Hiring great people, along with training and awareness, is a key part of AppSec success. Finding the right kind of team players is key, those who can work across organizational boundaries and excel at facilitating the collaboration between security and development teams.

In this session you will learn

• The technical and non-technical skills to look for in an AppSec engineer
  ‍
• How to coach your existing team to become AppSec professionals
  ‍
• How to get new hires “up and running” quickly and scale the impact of the team

Join your peers to wrap up two days of exciting AppSec content in this closing session of AppSecCon. Although lots of ground has been covered, there’s still lots to do and discuss. How will your AppSec plans change after the conference?

In addition, the session will talk about the community we’ve created and how to carry this forward. We hope you’ll continue the dialogue at the Purple Book Community, a place to connect practitioners and equip them with the expertise to embrace secure development practices, solve ever-evolving challenges, and ultimately democratize software security.

In this session you will learn:

• The ever-evolving nature of the AppSec and AppSecOps dialogue
  ‍
• The power of community working together and learning from peers
  ‍
• How the Purple Book Community can help
  ‍
• Launch of the Purple Book of Software Security! The full book will be made available on May 19th at 9:00 AM PST