Technical Director / Research Director @NCCsecurityUS. 
#DevSecOps and automated bug finding. BSidesLV/AppSec Cali/DevSecCon/CactusCon/Shellcon review board
U tweetove putem weba ili aplikacija drugih proizvođača možete dodati podatke o lokaciji, kao što su grad ili točna lokacija. Povijest lokacija tweetova uvijek možete izbrisati. Saznajte više
I watched all 44 @owasp @AppSecCali 2019 talks (~32 hours of video) and wrote detailed summaries for you 
Learn about #DevSecOps, scaling security, threat modeling, building a security program, & more.https://tldrsec.com/blog/appsec-cali-2019/ …
The talks covered a wide range of topics, including:
* Threat modeling
* Protecting user accounts
* Scaling #appsec
* Building a defensible cloud env
* #Kubernetes security
* Securing third-party apps (Slack bots, Salesforce AppExchange)
* Cyber war and geopolitics
* Tools &more
I'll give you a quick blurb about each, starting with my top 10 favorite talks 
Note: talks are listed alphabetically within each category, not by order of preference.
@HelloArbit & Esha Kanekar on how the Netflix #AppSec team scales their security efforts
* Paved Road
* Long term trust-based relationships
* Vuln metrics via #bugbounty, tools, pen tests
* Combine security team asks into 1 doc
* Automated risk classification
* Asset Inventorypic.twitter.com/a5Pwejj7Fv
@adamshostack describes how security can earn its seat at the development table:
* Be consistent in recommendations
* Adapt to the situation (e.g. if lightweight approach is needed)
* Soft skills - respect, active listening, assume good intent, embrace diversitypic.twitter.com/wRx864TvBX
Cyber insurance got you in tizzy?
@thedeadrobots gives a whirlwind tour of the insurance industry, where it is
today, and the terms and players you should know.
Example cyber insurance policies, what to watch out for, all in a super fun
talk 
@Koen_Hendrix on
* Ranking @riotgames dev teams by security maturity
* Measuring impact of sec maturity via #bugbounty data
* Scale #threatmodelling by adding this to sprint planning:
> How can a malicious user intentionally abuse this functionality? How can we prevent that?pic.twitter.com/cHGNqAOkAo
Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security
A masterclass in DevSecOps and modern AppSec best practices 
Feat the wisdom of @astha_singhal @frgx @Divya_Dw @dugdep (and yours truly 
)
Full summary here:https://tldrsec.com/blog/appsec-cali-2019-lessons-learned-from-the-devsecops-trenches/ …
@travismcpeak & @__muscles give an overview of efforts Netflix has undertaken to scale eir cloud security
* Segmentation
* Removing static keys
* Auto-least privilege of AWS permissions
* Extensive tooling for dev UX
* Anomaly detection
* Protecting AWS creds
* + future plans
@fredrickl teaches us how to make our AppSec program #swole with the big 3 "lifts"
for #AppSec:
1. Code reviews
2. Secure code training
3. Threat modeling
Also:
* How to prioritize your efforts
* How/when to use automation
* Common pitfalls to avoid
* This buff babypic.twitter.com/K7oz7c9Zwx
Masterclass by @hongyihu in the thought process behind & technical details of building scalable defenses; in this case, a proxy to protect heterogeneous internal web applications.
* Agnostic to backend tech
* Central place to build defenses into
* Emphasis on frictionless dev UXpic.twitter.com/T6wRBjxwD2
@ejcx_ on what it's like being the first security hire at a startup (@segment @Cloudflare)
* How to be successful (relationships, culture, compromise & continuous improvement)
* What should inform your priorities
* Where to focus to make an immediate impact
* Time sinks to avoidpic.twitter.com/Pkm1AHkWiD
@leifdreizler on practical, real-world tested advice on effectively working with devs and:
* Building a security team/program
* Making dev security training fun
* #bugbounty program protips
* Successfully implementing a security vendor
* Security 
Engineering embed programpic.twitter.com/aaLquTpbgx
Why can't you get an airline seat, see your favorite band, and your "new" giftcard is empty? Bots! 
@kgosschalk describes why preventing account takeovers is hard, gives examples of sites bots attack & how, and recommends how to prevent account takeovers.
Julien Sobrier and Ping Yan on how Salesforce uses browser fingerprinting to protect user account compromise, including by malware running on the same device as the victim. Shannon entropy is calculated on browser fingerprints, diffed over time, weighted by likelihood/magnitudepic.twitter.com/xb74kNEvP3
@kelleyrobinson discusses her experiences calling in to 30 different call centers:
* What info they requested to authenticate her
* What they did well 
* What they did poorly 
* Recs for designing more secure call center authentication protocols 
pic.twitter.com/mvQioBXFVN
@dontlivetwice describes how @Pinterest protects users whose creds have leaked in 3rd party breaches
1. Ingest breach info
2. Determine creds matching Pinterest users
3. Tag matched accounts as high risk
4. Protect accounts via programmatic and user-based actionspic.twitter.com/ZD069hu5LS
Hear five CISOs share their perspectives on:
Baking security into the SDLC
DevSecOps
Security testing (DAST/SAST/bug bounty/pen testing) Security training
and more!
Featuring @RAGreenberg, @coleencoolidge, Martin Mazor, Bruce Phillips, and Shyama Rose.
Kristen Pascale and Tania Ward of Dell EMC describe: * What a PSIRT team is * Dell's PSIRT team's workflow * Common challenges * And how PSIRT teams can work earlier in the SDLC with development teams to develop more secure applications
@appsecneil gives an overview of:
* cryptocurrencies & cryptocurrency exchanges
* The attacks exchanges face (app layer, wallets, user accounts, currencies themselves)
* The defenses they've put in place to mitigate these attackspic.twitter.com/KpWRnsJ2WJ
Alexandra Nassar on how to create a positive vuln management culture & process that works for devs & security team 
* Meet w/ devs to understand their workflow & pain points
* Use dev systems for vuln mgmt. External tools => too much friction
* Use a single standard workflow
Brandon Sherman discussed his #AWS forensics experiment:
* Do EBS volume snapshots only contain in-use blocks?
* Does EBS volume type matter?
* Does instance type matter? (e.g. NVMe vs SATA)
+ chain of custody and cloud security best practices 
@__muscles: how to detect when your AWS creds have been compromised & are used outside of ur env, & how to prevent them from being stolen in the first place.
* https://github.com/Netflix-Skunkworks/aws-credential-compromise-detection …
* Example proxy to block SSRF metadata service attacks: https://github.com/Netflix-Skunkworks/aws-metadata-proxy …pic.twitter.com/hq6nc2IipI
@Lsitaraman describes:
* The history of authz implementation approaches
* The value of externalizing authz from main app code
* Authz in #Kubernetes
* The power of using Open Policy Agent (@OPA) for authz with Kubernetes and @ISTIOpic.twitter.com/hhf7X7kBN2
@omerlh describes his quest to find a secrets management solution that:
Supports GitOps workflows
Kubernetes native
Strong security properties
Which lead to the development of a new tool, Kamus:https://github.com/Soluto/kamus/
@_sarahyo on:
* Container and #Kubernetes best practices
* Insecure defaults to watch out for
And what happens when you do everything wrong and make your container or K8s publicly available on the Internet 
@bdpsecurity's "Fail, Learn, Fix" keynote discussed the history & evolution of the electrical, computer, & security industries.
The way forward for security is:
* Sharing knowledge & failures 
* Creating standard security patterns that devs can easily apply 
pic.twitter.com/N90VYvONTc
@__apf__ Solving hard security problems requires tough tradeoffs.
1. Chip away at more tractable subproblems
2. Accept imperfection & criticism
3. Pay off debt over time - reduce the cost that decision may have made
e.g. Chrome site isolation, HTTP padlock, displaying URLspic.twitter.com/7rICFojSVK
A rousing history of security by @manicode, including the history of testing, OWASP projects, XSS, & important dates in AppSec.
"Things are getting a lot better, & we should be proud of what we've done"
+ some humorous/aspirational predictions about the future of security 
pic.twitter.com/HkVzbQceFP
@SecEvangelism gives the low down on what it's like to grab a bunch of EU diplomats, put them in a room, and run them through cyber warfare scenarios.
This was a fascinating discussion of the interactions between technology, computer security,conomics, and geopolitics pic.twitter.com/9cSZl8qGOw
@mkcop describes best practices for securely running unsafe third-party executables:
1. Profile the executable (strace) -> seccomp-bpf profile
2. Harden your app - input validation, examine magic bytes
3. Secure the processing pipeline - leverage sandboxing, secure network designpic.twitter.com/AUPfD81pPe
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
