tldr - powered by Generative AI

• Automated security testing has brought an abundance of signal about codebases and infrastructure without much manual effort, but managing findings and triaging false positives is time-consuming and results in hiring more security experts.
• The Application Security Toolchain Framework unifies multiple security tools and allows for per-team configuration, conditional tool execution, and automated reporting to different sinks based on code ownership.
• The framework is low to no code, platform-agnostic, and community-driven, with integrations for several scanners both under the OWASP umbrella and not.
• The framework allows for scheduling tool execution against both code and infrastructure, aggregating results from different tools, enriching them using several processors, and consuming them with a multitude of visualization platforms.
• The framework is demonstrated through a tool called Dracon, which unifies security tool execution and results management.
• The community-driven aspect of the framework allows for integration with a wide range of security tools and provides an idea of which tools are more popular based on their integrations.

tldr - powered by Generative AI

• The OWASP DevSecOps Maturity Model provides a framework for companies to apply security in a cloud-native and fast-paced engineering world.
• Whatever isn't automated is much more difficult to practically apply to systems.
• Open source security tools have evolved and provide good coverage for many of the layers of the DSOMM model.
• The presentation walks through the different security requirements in the DSOMM framework and does live code demos for each.
• Prioritization of security issues can be done per each pull request.
• The speaker shares their experience with implementing security processes in a startup environment.
• Developers owning security is seen as the future of the security industry.