The slides include 
+ links to my favorite #DevSecOps talks, blog posts, & useful tools.
I've organized them by category so that you can easily delve into whichever topics are most useful to you and your company right now.
Prikaži ovu nit
Over the past few years I've spent 100s (1000s?) of hours studying how companies have scaled their security.
Here are my @AppSecCali slides that distill what I've learned- the big, scalable, systematic wins that measurably improve your security posture.https://docs.google.com/presentation/d/1zbj9XBiv6r6zla0KHNfs63Ux45QZAfRut2zlK7o-dRw/edit#slide=id.g6555b225cd_0_1069 …
-
-
-
Talk structure
Big Picture
* Mindsets / Principles
* Choosing how to invest your time
Scaling Your Company's Security
* Fundamentals, scaling efforts, long term wins
Action Plan
* Tie everything together and put it into practicePrikaži ovu nit -
Mindsets / Principles
Automate as much as possible
Build guardrails, don't be gatekeepers
Prefer high signal tools & alerting (FNs > FPs)
Devs are your customers - security tool/library UI & UX are important!
And for the kids these days 
pic.twitter.com/26oWhsGt0w
Prikaži ovu nit -
Choosing How to Invest Your Time
Ask yourself:
Of my near / medium term tasks, which will provide the most long-term strategic value?
Can I do a near term task a little bit differently to make it much more useful later?Prikaži ovu nit -
Tools in Your Security Tool Belt
Key insight:
Certain approaches are *inherently* better or worse in certain situations, regardless of the specific tool.
Instead of:
"How can I make tool X better?"
Ask:
"Is approach Y a good fit for what I'm trying to do?"pic.twitter.com/xtk17O06vS
Prikaži ovu nit -
I also think it's useful to target vulns in terms of their * Class - XSS, SSRF, access controls, ... * Complexity - What level of analysis complexity is needed to find/prevent it consistently with high signal? Both can influence our approach.pic.twitter.com/Fu3Gz9ZIg1
Prikaži ovu nit -
Eventually your breakdown may look like this: * Secure defaults - solve many issues categorically * Tools - helpful for security baselines *
#BugBounty - Continuous coverage *#Pentesting - Find the hard stuff * Runtime monitoring - Best for finding certain hard casespic.twitter.com/VngdbgEkKa
Prikaži ovu nit -
Here's how the
@netflix#appsec team has been thinking about it: This first image is from@astha_singhal and@coffeetocode@AppSecCali '18: https://www.youtube.com/watch?v=L1WaMzN4dhY&feature=youtu.be&t=1855 … The 2nd is@HelloArbit & Esha Kanekar@AppSecCali '19: https://tldrsec.com/blog/appsec-cali-2019/#a-pragmatic-approach-for-internal-security-partnerships …pic.twitter.com/GUGBjYgPXU
Prikaži ovu nit -
The Fundamentals
* Vulnerability Management
* Continuous Scanning
* Asset Inventory
These are not the fundamentals because they're easy. In fact, they're *really* hard to do well.
But, if you have a solid base, you can build awesome, high leverage things on top of them.Prikaži ovu nit -
Vuln Management
Table stakes for knowing a) how you're currently doing and b) if your future initiatives actually help.
Minimize friction, track all vulns in 1 system, define a consistent workflow, track vuln class/risk/what found it/+ other meta info
Example dashboardspic.twitter.com/8DztY1deiW
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.