Remember our talk on Making Security Agile? The SAMI security team recently presented an updated, more in-depth version of the talk at AppSec California 2016, and returned with new excitement about the state of security. Read on for our key insights from the conference, as well as the latest “Making Security Agile” slides.
Not only were we able to share our security expertise (and find some kindred spirits!), we received new knowledge from AppSec attendees that is directly applicable to what we do here in SAMI.
As a refresher, the main idea of “Making Security Agile” is that security can’t be done as it was 5-7 years ago, because many companies have moved to agile development methodologies. If SDLC is agile, then security should be agile as well, in order to avoid becoming a bottleneck. Security should be integrated well with SDLC.
This time, we included a live demo to show how our automation process works, and a live demo of how our homegrown open source tool bscan can be used to take advantage of QA regression tests for better security coverage.
The conference was full of great presentations, with metrics, automation and the rise of cyber insurance among the most-talked-about topics. Some of our other favorites included Symantec’s talk on IoT threats and Security Innovation’s talk about safety in connected cars, which both remind us to stay aligned in how we build our IoT ecosystems; Whitehat’s 15 Years of Web Security, which provided a lot of statistical data about application security trends; and Snapchat’s innovative use of client- and server-side defenses.
It has become a tradition for progressive companies to share their security process with the industry. This is good, because the best practices can be learned and adopted by other companies that work in the same domain. What Snapchat does is applicable to any API-based ecosystem, including ours. This was Snapchat’s first-ever public security presentation, and they addressed well known issues such as threats coming from third-party partner applications, protecting secrets on mobile devices, and differentiating between native Snapchat applications and others. Snapchat’s presentation was a valuable use case for building a better security team and process.
Overall, it was a great opportunity to learn about new contemporary trends in application security, as well as contribute our own piece of the puzzle. We look forward to the next one!