DevOps and Securing Applications – PSW #632
- Given that DevOps is a process and its execution requires many different tools, how do we get started "doing DevOps"?
- What about DevOps allows us to produce more secure applications?
- What concepts inside of DevOps do most people lose site of?
- What are the major challenges involved in taking an application from traditional development to DevOps?
- What are some of the best approaches to making an application more resilient to threats
- To ORM or not to ORM?
- Which services do you implement yourself vs. using a cloud service?
- How do I choose the best secrets vault?
- What should I use an orchestrator for and what should I not use an orchestrator for?
- How do I build a secure API for my app?
- Thoughts on GraphQL vs. REST security implications?
Chris Eng is Chief Research Officer at Veracode. A founding member of the Veracode team, he is responsible for all research initiatives including applied research and product security. Chris is a frequent speaker at industry conferences and serves on review boards for Black Hat USA and the Kaspersky Security Analyst Summit. He is also a charter member of MITRE’s CWE/CAPEC Board. Bloomberg, Fox Business, CBS, and other prominent media outlets have featured Chris in their coverage. Previously, Chris was technical director at Symantec (formerly @stake) and an engineer at the National Security Agency.
Eric is co-founder and Principal Security Engineer at Puma Security focusing on cloud security, static code analysis, and DevSecOps automation. His experience includes performing cloud security reviews, infrastructure as code automation, application security automation, web and mobile application penetration testing, secure development lifecycle consulting, and secure code review assessments. Eric is also a Principal Instructor with the SANS Institute where he authors information security courses on cloud security, DevSecOps automation, secure coding, and defending mobile apps. He delivers security training for SANS around the world, and presents security research at conferences including SANS, BlackHat, OWASP, BSides, RSA, DevOpsDays, and ISSA.
Frank Catucci is a global application security leader with over 15 years of diverse experience which grants him the unique ability to see and lead information and application security with a unique, complete and holistic approach. Frank is currently leading efforts within application security and devsecops with groundbreaking security research, techniques and completeness of vision, as a pioneer and leader of application security and devsecops advancement.
As a technology leader with wide-ranging experience over 24 years at ADP, instilling entrepreneurial dynamism into product development has been a constant theme of my career. ADP is a world-class provider of solutions. My efforts delivered the technical vision and direction for dozens of products addressing complex business needs with well-designed simplicity. This set me up well to transition to helping other companies solve difficult problems… My value comes from knowing what to do to bring a product to life with minimal risk and maximum benefit to customers and the bottom line. I’ve seen just about every business, project, and technology situation, and can look at an idea from both big picture and detail perspectives to ensure a product’s success. Much of my work focuses on the people side of technology. I thrive on shaping great teams and cultures needed for breakthrough innovation, and on being an evangelist – I love to share knowledge about new products, practices, and technologies to help emerging companies punch above their weight and achieve their business goals through technology.
For over the last 20 years, Jason has been ethically peering into Client Behavior, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organizations secure their assets and intellectual property from unauthorized access. As a consultant he’s taken hundreds of organizations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IoT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence’s customers safe.
Joshua Corman is a Founder of I am The Cavalry (dot org), and recently served as Chief Strategist for the CISA COVID Task Force. He previously served as CSO for PTC, Director of the Cyber Statecraft Initiative for the Atlantic Council, CTO for Sonatype, and other senior roles. He co-founded RuggedSoftware and IamTheCavalry to encourage new security approaches in response to the world’s increasing dependence on digital infrastructure. His unique approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security. He also serves as an Adjunct Faculty for Carnegie Mellon’s Heinz College, and was a member of the Congressional Task Force for Healthcare Industry Cybersecurity.
Sandy is a principal analyst at Forrester advising security and risk professionals on application security, with a particular emphasis on the collaboration among security and risk, application development, operations, and business teams. Her research covers topics such as proactive security design, security testing in the software delivery lifecycle, protection of applications in production environments, and remediation of hardware and software flaws.