AppSec California 2020

There have been hundreds of blog posts and conference talks about DevSecOps and scaling security. As a busy security professional, it can be difficult to stay on top of the current state of the art.

Don’t worry, I’ve put in the time for you.

This talk distills the unique tips and tricks, lessons learned, and tools discussed in a vast number of blog posts, conference talks, and in-person discussions I've had with security engineers at tens of companies.

Using this info, I've created an opinionated guide to systematically scaling your company's security. This talk is about results: tools and hyped approaches that don't work will be called out.

I’ll cover:
* Principles, mindsets, and methodologies of highly effective security teams
* Valuable security primitives to invest in, upon which high leverage initiatives can be built
* Security metrics and creating a data-driven security program
* High value engineering projects that can prevent classes of bugs
* How and where to integrate security automation into the CI/CD process in a high signal, low noise way
* Useful open source tools

You’ll leave this talk with an understanding of the current state of the art in DevSecOps, links to tools you can use, resources where you can dive into specific topics of interest, and most importantly, an actionable path forward for taking your security program to the next level.