Back To Schedule
Saturday, November 21 • 08:45 - 09:30
Scale Your Security by Embracing Secure Defaults & Eliminating Bug Classes

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
We’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time.

Historically, as an industry, we’ve focused on building tools to identify vulnerabilities. While we’ve built impressive tools, these approaches have failed to address the challenges of modern engineering teams.

Specifically, these tools often are too slow, require a prohibitive amount of security engineer time and domain expertise to tune, overwhelm users with false positives, and most importantly, do not ultimately raise a company’s security bar.

But there’s another way.

Rather than investing in finding more bugs, some modern security teams are instead focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks that enforce invariants (properties that must always hold), organizations can solve classes of vulnerabilities by construction, preventing bug whack-a-mole.

In this talk, we’ll present a practical step-by-step methodology for:
- Choosing what to focus your AppSec resources on
- How to combine secure defaults + lightweight invariant enforcement to eradicate entire vulnerability classes
- How to integrate continuous code scanning into your CI/CD processes in a way that’s fast, high signal, and low friction for developers
- How to use an open source, lightweight security linting tool to find bugs and anti-patterns specific to your company

avatar for Isaac Evans

Isaac Evans

CEO, r2c

Saturday November 21, 2020 08:45 - 09:30 WIB