Session Name: Streamline Security with Shift Left: A Cloud Approach
In agile development, continuous iteration of development and testing occurs throughout the software lifecycle, collaborating with stakeholders and seeking continuous improvement. Frequent releases raise the risk of security vulnerabilities. Reports like Secure Code Warrior show over 50% of organizations follow reactive security practices, addressing vulnerabilities post-deployment and manually reviewing code. DORA 2021 Accelerate State of DevOps stresses security can't be an afterthought. High-performing organizations implementing early security practices surpass reliability targets by 2x. Companies often rely on security scanning in production, but early attacks increase the shift left trend. Integrating security in CICD with DevSecOps controls builds a framework for early scanning and detection, ensuring efficient testing, monitoring, and response. This presentation discusses building a CICD solution for continuous security scanning in AWS CodePipeline. Integrating security early allows delivering secure applications rapidly and consistently through automation. Code reviews are vital, but questions remain on ensuring security sign-off for each production release and comprehensive scanning beyond DAST and SAST. Our solution addresses these challenges, enabling proactive security measures, vulnerability reduction, and the efficient delivery of secure applications.
I am currently leading security efforts at Quince, previously worked with Microsoft, and have experience in establishing comprehensive end-to-end information security frameworks for startups. My passion lies in scrutinizing application logic and discovering vulnerabilities, which have been acknowledged by prominent multinational corporations such as Google, Yahoo, NASA. Additionally, I maintain an active blog (https://logicbomb.in/) where I discuss intriguing vulnerabilities, data privacy concerns, and various security-related topics. Several of my articles and interviews have been featured in reputable news media outlets, including Forbes, BBC, Techcrunch and HackerOne, among others. I also engage as a cybersecurity speaker and enjoy sharing my insights on diverse information security subjects at national and international conferences such as Defcon, Bsides, Threatcon, Rootcon, and RMISC etc.