AppSec California 2020

The talk will take the audience on a journey from the origin of the security architecture, the challenge of cloud security and the role of an architect in the dev-sec-ops world. The talk explains the difference between traditional command and control governance and the solution to avoid starving automation and innovation with traditional security governance. During the talk, we will look at modern SDLC and what should be deployed step by step in each stage. We will explore: Security Gates and why they do not always work in dev-ops Automation how-tos: How to deploy cybersecurity at scale Why is important to know how to deal with people Automation in the pipeline is the king How to secure the design phase (design and requirements) How to secure dev and test How to convert threat modelling in use stories How to Deploy in production ensuring that the artefacts have been reviewed Audience Take Away: How to build a cybersecurity programme with architecture at the heart How to avoid traditional architecture pitfalls how to do governance at pace and when to apply traditional security governance how to mix governance and agile development as well as dev sec ops how to extract patterns from existing design the value of design principle patterns and why they are key to go fast. how and when to use tools (SAST/DAST) and how to lead engineer into secure code analysis How to manage libraries and how to guide team during the triage