logo
allArticlesConferencesPresentations

Developer Driven Security in high-growth environments

Conference:  Global AppSec Dublin 2023

2023-02-16

Authors:   Jakub Kaluzny

Summary

The presentation discusses a scalable and autonomous AppSec program that allows engineers to own security in a high-growth environment. The program includes establishing principles and metrics, managing and motivating security champions, and using structured Threat Modeling as Code for AppSec innovations.
  • Engineers should own security in a high-growth environment
  • Each pull request should have an associated security review
  • Threat modeling should be done by engineers using a custom tool with automation
  • All deliverables or output should be stored in a database
  • Risk assessment should be used to determine which features need a security review
  • Security champions should be introduced to help with reviews
  • Autonomy levels should be introduced for teams and partners
  • Structured Threat Modeling as Code should be used for AppSec innovations
The speaker mentions that in their world, each pull request has an associated juror ticket and epic that needs a security review. They also emphasize the importance of engineers owning security and the need for a scalable and autonomous AppSec program. The program includes using a custom tool for threat modeling and storing all deliverables in a database. Additionally, security champions are introduced to help with reviews and autonomy levels are established for teams and partners.

Abstract

I will present a case study of a scalable and autonomous AppSec program that allows to manage the risk and review security for each code change in an organization that grows their Engineering group 50% YoY. I will talk about establishing principles and metrics to measure the success of that program, managing and motivating security champions, scalable threat modeling methodologies and tools. I will show you how each engineer and security champion can model the threats by themselves, effectively and preserving good quality. On top of that, I will explain how structured Threat Modeling as Code and deliverables from all security review phases can be used for AppSec innovations.
Materials:
Slides
Tags:
Scalable
AppSec
Autonomous
Code Review
Threat Modeling

Post a comment

Related work

Get On With The Program: Threat Modeling In and For Your Organization

Conference:  Global AppSec Dublin 2023
Authors: Izar Tarandach
2023-02-16

SDL at Scale: Growing Security Champions

Conference:  BlackHat EU 2018
Authors:
2018-12-05

These are the Vulns You are Looking For: AppSec Champions & Jedi Mind Tricks

Conference:  OWASP 20th Anniversary Event
Authors: John Dickson
2021-09-24

Scaling AppSec through Education

Conference:  OWASP 20th Anniversary Event
Authors: Grant Ongers
2021-09-24

Gather Children, it’s AppSec Storytime!

Conference:  Global AppSec San Francisco 2022
Authors: Chen Gour-Arie
2022-11-18

Post-DevOps, what should we shift-left?

Conference:  OWASP 20th Anniversary Event
Authors: Riotaro OKADA
2021-09-25