Tony is the founder and CEO of VerSprite - a global security consulting firm based in Atlanta, GA. He is also the author of Wiley's Risk Centric Threat Modeling, a book endorsed by the late Cyber Security Coordinator for the White House, Howard Schmidt. The book has been used in universities and enterprises worldwide as a means to apply a risk centric approach to application threat modeling. Tony has spoken at numerous OWASP, ISACA, ASIS, ISC2, ISSA, BSides conferences across four continents on the topics of cloud security, risk management, threat modeling, secure-SDLC implementation. He also has provided global training to both development groups and company executives who need to understand the impact of security programs to products and business services. Before starting VerSprite, Tony's worked at various large multi-national companies, some of which includes GE Capital, UBS, Morgan Stanley, SunTrust Bank, Equifax, Symantec and Secureworks. Today, his organization performs varied security consulting services worldwide for both Fortune 50, global companies as well as technology startups.
Tony is also well known for his leadership role in the Open Web Application Security Project (OWASP) where he runs the OWASP Atlanta Chapter and manages monthly workshops and events for Atlanta's AppSec community.
Session: Getting Your Security Program To Shift Left - Operationalizing Security Controls Via DevSecOps
The latest talk in managing security programs is the ability to make “shift left” in terms of implementing controls. This concept translates to being able to not apply security controls post-implementation but rather during pre-implementation phases in a System or Software Development Lifecycle. These stages (such as the Definition, Design, or even Development phase) can allow for security requirements to be conceptualized and applied before an Implementation phase. The rise of regulations and demand for more agile engineering practices is forcing CISOs and security programs to develop more sophisticated ways to adhere to security requirements from regulations, internal governance, and clients. This talk will focus on how DevSecOps efforts are changing how we govern security controls via greater automation tools that are readily available to leverage. This talk will also show how the future can support for more cost effective governance models, regardless of industry or size of IT environment.