The presentation discusses a scalable and autonomous AppSec program that allows engineers to own security in a high-growth environment. The program includes establishing principles and metrics, managing and motivating security champions, and using structured Threat Modeling as Code for AppSec innovations.
- Engineers should own security in a high-growth environment
- Each pull request should have an associated security review
- Threat modeling should be done by engineers using a custom tool with automation
- All deliverables or output should be stored in a database
- Risk assessment should be used to determine which features need a security review
- Security champions should be introduced to help with reviews
- Autonomy levels should be introduced for teams and partners
- Structured Threat Modeling as Code should be used for AppSec innovations