Don’t worry, I’ve put in the time for you. This talk distills the unique tips and tricks, lessons learned, and tools discussed in a vast number of blog posts, conference talks, and in-person discussions with security engineers at dozens of companies into an opinionated guide to systematically scaling your company's security. This talk is about results: tools and hyped approaches that don't work will be called out.
Topics covered include:
* Principles, mindsets, and methodologies of highly effective security teams
* Valuable security primitives to invest in, upon which high leverage initiatives can be built
* Security metrics and creating a data-driven security program
* High value engineering projects that can eliminate classes of bugs
* How and where to integrate security automation into the CI/CD process in a high signal, low noise way
* Building a continuously monitored and self-healing cloud environment
* Vulnerability management, asset inventory, automating detection and response, threat modeling, and more
* Useful open source tools
You’ll leave this talk with an understanding of the current state of the art in DevSecOps, links to tools you can use, resources where you can dive into specific topics of interest, and most importantly, an actionable path forward for taking your security program to the next level.
Clint Gibler (@clintgibler) is the Head of Security Research for r2c, a small startup working on giving security tools directly to developers. Previously, Clint was a Research Director at NCC Group, a global security consulting firm, where he helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies ranging from large enterprises to new startups. Clint has previously spoken at conferences including BlackHat USA, AppSec USA/EU/Cali, BSidesSF, and DevSecCon Seattle/London/Tel Aviv/Singapore. Clint holds a Ph.D. in Computer Science from the University of California, Davis. Want to keep up with security research? Check out *tl;dr sec*, Clint’s newsletter that contains summaries of artisanally curated, top talks and useful security links and resources from around the web.