-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d7e356e
commit a1c1bcc
Showing
3 changed files
with
22 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -18,6 +18,7 @@ | |
| "cyberweapons", | ||
| "DBIR", | ||
| "Glenny", | ||
| "Herbie", | ||
| "httrack", | ||
| "ISAC", | ||
| "ISSA", | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| --- | ||
| layout: post | ||
| title: Secure360 2018 | ||
| author: jabenninghoff | ||
| comments: true | ||
| --- | ||
| As mentioned in my [last post]({% post_url 2024-05-20-past-talks %}), I've been cataloging my past talks and am posting the "missing" ones here. | ||
|
|
||
| Back in 2018, I spoke at Secure360 on "Integrating Security into Emerging DevOps". This was a brand new talk, based on my experiences from my first three years running Application Security at Express Scripts: | ||
|
|
||
| > Imagine building a software security practice. Now imagine building a security practice while your organization is modernizing software engineering, shifting from Waterfall to modern Agile/CI/DevOps. | ||
| > | ||
| > Teams are excited. Agile means more freedom, less bureaucracy, less security. Security rules are blockers; they are preventing software from being written and deployed, and are problems to be removed. The security team resists, worrying that agile will mean only that security bugs are pushed into production faster. | ||
| > | ||
| > In fact, modern software engineering and security are entirely compatible; the rigor and discipline that comes with DevOps supports strong security. The challenge is that security must evolve as the organization evolves, and must be part of the natural flow of how engineers develop software today. | ||
| > | ||
| > This session will present solutions for building security in to a modern software engineering organization that reduce friction, making the engineers happy, and reduce security issues, making the security team happy. By understanding the motivation and habits of software engineers, we can design security controls that satisfy both groups. | ||
| I've been meaning to post this talk for some time, as it was well received and a good case study on integrating security into a software engineering practice. Much like when Herbie Hancock hired funk musicians to play Jazz on his fusion album [*Head Hunters*](https://en.wikipedia.org/wiki/Head_Hunters), we hired people with a software engineering background to do security; our security engineers were developers, and our application security testing team had a QA background. In this way, we were able to extend the software engineering practice into security and avoid much of the conflict that can occur when staffing AppSec with traditional security professionals. | ||
|
|
||
| Slides from that talk are available [here](/assets/security-devops-bennignhoff-secure360-2018.pdf). |
Binary file not shown.