Explore the evolution of security engineering in modern software development environments in this OWASP AppSec California 2015 conference talk. Delve into practical strategies for building and scaling contemporary AppSec and NetSec programs, gain insights on launching successful bug bounty initiatives, and learn techniques for conducting realistic attack simulations to identify compromise signals in your ecosystem. Discover how continuous deployment and DevOps philosophies have transformed business operations and how security teams can effectively adapt to these changes. Benefit from the expertise of Zane Lackey, Founder/CSO at Signal Sciences, as he shares lessons learned from his experience as Director of Security Engineering at Etsy and Senior Security Consultant at iSEC Partners. Gain valuable knowledge on topics such as feature flags, security instrumentation, mindset shifts in security practices, access control in startups, and the importance of realistic trade-offs in security decision-making.
Building a Modern Security Engineering Organization
Overview
Syllabus
Intro
How is technology changing
Cost of the attack
Near instantaneous deployment
Waterfall model
Etsy
Waterfall
Feature Flags
Security vs Control
The system isnt dangerous
It doesnt matter
Deployment time
Old methodology
What makes it safe
Invisibility instrumentation
Security insight
The big lesson
The key
Binary events
The two worlds
The shift around
Function by removing blockers
We are the blocker
Mindset shift
Being a jerk
Making realistic tradeoffs
The security chart moment
How easy it is to exploit
Random culture
Reward behavior
Bad days
Dont be a jerk
Reward good behaviour
National responses
How to scale
Access control in startups
Pressure from different points
Whether its regulatory compliance
You can take away access but
This is a hard step
The key lesson learned
Destroy your credibility
Magic
Central Locking
End State
Budget Concerns
Above Bounty
Cost of Discovery
Metrics
Mark
Quality and Credit
Pen Testing
Vulnerability Enumeration
Pentest
Feedback Loop
GoalOriented
Scope
Realistic
Logistical
Data
Why
Behaviors Patterns
Attack Profile
Life Against Death
Taught by
OWASP Foundation
