BSidesSF 2019

Many companies have shared their lessons learned in scaling their security efforts, leading to hundreds of blog posts and conference talks. Sharing knowledge is fantastic, but when you're a busy AppSec engineer or manager struggling to keep up with day-to-day requirements, it can be difficult to stay on top of or even be aware of relevant research.

This talk will summarize and distill the unique tips and tricks, lessons learned, and tools discussed in a vast number of blog posts and conference talks over the past few years and combine it with knowledge gained from in-person discussions with AppSec engineers at a number of companies with mature security teams.

Topics covered will include:
• Principles, mindsets, and methodologies of highly effective AppSec teams
• Best practices in developing security champions and building a positive security culture
• High value engineering projects that can prevent classes of bugs
• How and where to integrate security automation into the CI/CD process in a high signal, low noise way
• Open source tools that help with one or more of the above

Attendees will leave this talk with an understanding of the current state of the art in DevSecOps, links to tools they can use, resources where they can dive into specific topics of interest, and most importantly an actionable path forward for taking their security program to the next level.