4. @BrianVerm
What are the problems ?
Lack of security
focus throughout
the app lifecycle
Software delivery
sped up with little
thought to
security
Silo-ed security
expertise
Customer data
could be
compromised
6. @BrianVerm
The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● 100s of Linux packages inherited from public sources
● Built, deployed & scaled in seconds
● #1 cloud vulnerability is misconfiguration [NSA]
● Network access, storage, servers - deployed
as fast as code
● 10-20% of code is custom - and digital transformation increases
pressure to deliver more and faster.
Code
Open Source
Containers
Infrastructure
as Code
7. @BrianVerm
The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● 100s of Linux packages inherited from public sources
● Built, deployed & scaled in seconds
● #1 cloud vulnerability is misconfiguration [NSA]
● Network access, storage, servers - deployed
as fast as code
● 10-20% of code is custom - and digital transformation increases
pressure to deliver more and faster.
Code
Open Source
Containers
Infrastructure
as Code
8. @BrianVerm
The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● 100s of Linux packages inherited from public sources
● Built, deployed & scaled in seconds
● #1 cloud vulnerability is misconfiguration [NSA]
● Network access, storage, servers - deployed
as fast as code
● 10-20% of code is custom - and digital transformation increases
pressure to deliver more and faster.
Code
Open Source
Containers
Infrastructure
as Code
9. @BrianVerm
The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● 100s of Linux packages inherited from public sources
● Built, deployed & scaled in seconds
● #1 cloud vulnerability is misconfiguration [NSA]
● Network access, storage, servers - deployed
as fast as code
● 10-20% of code is custom - and digital transformation increases
pressure to deliver more and faster.
Code
Open Source
Containers
Infrastructure
as Code
/hello?user=<script>alert(1)</script>
10. @BrianVerm
The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● 100s of Linux packages inherited from public sources
● Built, deployed & scaled in seconds
● #1 cloud vulnerability is misconfiguration [NSA]
● Network access, storage, servers - deployed
as fast as code
● 10-20% of code is custom - and digital transformation increases
pressure to deliver more and faster.
Code
Open Source
Containers
Infrastructure
as Code
<script>alert(1)</script>
<b onmouseover=alert('Woof!')>click me!</b>
<img src="http://url.to.file.which/not.exist"
onerror=alert(document.cookie);>
<IMG SRC=jAvascript:alert('test2')>
11. @BrianVerm
The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● 100s of Linux packages inherited from public sources
● Built, deployed & scaled in seconds
● #1 cloud vulnerability is misconfiguration [NSA]
● Network access, storage, servers - deployed
as fast as code
● 10-20% of code is custom - and digital transformation increases
pressure to deliver more and faster.
Code
Open Source
Containers
Infrastructure
as Code
29. @BrianVerm
The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● 100s of Linux packages inherited from public sources
● Built, deployed & scaled in seconds
● #1 cloud vulnerability is misconfiguration [NSA]
● Network access, storage, servers - deployed
as fast as code
● 10-20% of code is custom - and digital transformation increases
pressure to deliver more and faster.
Code
Open Source
Containers
Infrastructure
as Code
34. @BrianVerm
The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● 100s of Linux packages inherited from public sources
● Built, deployed & scaled in seconds
● #1 cloud vulnerability is misconfiguration [NSA]
● Network access, storage, servers - deployed
as fast as code
● 10-20% of code is custom - and digital transformation increases
pressure to deliver more and faster.
Code
Open Source
Containers
Infrastructure
as Code
35. @BrianVerm
What is the Solution?
What do people care about and how
should they collaborate
Culture
The best way to adopt a new practice
is to integrate into existing processes
Process
Pick the tooling that fits your process
Automate away manual steps
Tooling
41. @BrianVerm
“Shift left” is not enough
Empowering developers to build applications securely
within the entire development process
Empower
developers
Enable security
teams