Automate Security, Don't Tell Your Boss
Conference: OWASP 20th Anniversary Event
2021-09-24
Authors: Matt Tesauro
Summary
The presentation discusses the benefits of automating security and the key elements needed to be successful. It emphasizes the importance of optimizing the work of security personnel, increasing team throughput, engaging and supporting external teams, and improving consistency and visibility through automation.
- Traditional appsec is slow, painful, and ineffective
- Automation can optimize the work of security personnel and increase team throughput
- Defect Dojo is an open source security orchestration platform for vulnerability management that can consolidate security findings and provide a single source of truth
- Automation can improve consistency, visibility, and tracking of work status
- Automation can reduce friction with dev teams by speaking their language and providing results in a way that works for them
- The presentation recommends reading books on DevOps and applying its concepts to security
- The presentation suggests using app pipelines to make security fast and customized
Abstract
This talk instills the lessons learned from multiple security automation efforts and the key elements needed to be successful. Success across multiple dimensions is covered including increasing team throughput, engaging and supporting external teams, The idea is to give those attending a leg up on starting a security automation program and allowing them to skip some painful lessons. Instead, they can focus on getting the key pieces in place and reaping the rewards of security automation quickly. Several real-world examples (and metrics) will be provided to demonstrate why you want to start a security automation journey right away.
Materials:
Post a comment
Related work
Conference: KubeCon + CloudNativeCon Europe 2022
Authors: Fabrizio Pandini, Rafael Fernández López
2022-05-18
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Konstantinos Kapelonis, Ilia Medvedev
2023-04-19