The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, SF Bay Area, and the Inland Empire chapters to bring you the FIFTH Annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies.

One and Two-day training sessions on various subjects by expert trainers kick off the conference on January 28th. World renown speakers follow on days three and four.

There will be four concurrent tracks throughout the day on both January 30 and 31, addressing a variety of topics to enhance knowledge.

Back To Schedule
Tuesday, January 30 • 10:45am - 11:35am
The Only Reason Security Really Matters for DevOps

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Abstract :
This talk begins by exploring the answer to the question, why does DevOps matter? Business do what they need to do to survive and succeed. If their customers need agility, then they will evolve to accommodate that.

Next, key differences between the pre-DevOps world and the post-DevOps world are discussed. Before, it was about on-premise, protecting the perimeter, and enforcing gates in the SDLC. Now, supply chain is king. Applications and APIs matter more and more. And everything is mobile.

A detailed look at 10 companies "killing it at DevOps" reveals that for agile companies, security is a strategic business driver. It prevents unplanned work and re-work, and security requirements are explicitly specified during the sales process as part of vendor security assessments.

Additional drivers also include avoiding bad press and compliance reasons - both of which, if you look under the covers, are ultimately about getting more sales. This presentation analyzes the actual language in Bill Gates' Trustworthy Computing memo to see that in fact even Microsoft's "noble" initiative was "all about the money."

That being said, what's a security professional to do? BSIMM has 113 controls, ISO27017 has 121, and CCM has 133. It's enough to make a person's brain explode.

This session concludes with expert recommendations on how to think about security for DevOps in a way that aligns with a modified version of the NIST Cybersecurity Framework. The 5 points (Identify, Prevent, Detect, Respond, and Recover) are simplified down to just 3 (Identify, Prevent, and React) and the end of the session covers detailed recommendations on how to incorporate practical security concepts into a DevOps environment using this uncomplicated framework.

avatar for Caroline Wong

Caroline Wong

Vice President of Security Strategy, Cobalt
Caroline’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. She is a well known thought leader on the topic of security metrics and has been featured... Read More →

Tuesday January 30, 2018 10:45am - 11:35am PST
Terrace Lounge