Fully automated attacks take companies into insolvency. The attackers use the latest automation technology to break into your company, making it nearly impossible to prevent an attack. The only question left: when will it happen?
While the tech industry has advanced in the last decade towards platform engineering and multiple releases per hour, security tooling and culture have yet to catch up. Working with the most advanced companies with high security and privacy requirements, we observed a shift in how those teams collaborate.
This talk shares the learnings from hundreds of discussions and how companies use new approaches to build and ship more robust application delivery with platform and security engineering.
"GenAI Apps: Our Journey from Ideas to Production Excellence",Danil TopchiiFwdays
More Related Content
Similar to "The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications", Christoph Hartmann
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
Similar to "The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications", Christoph Hartmann (20)
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
"The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications", Christoph Hartmann
1. Platform and Security Engineering join forces to
build more secure and robust applications.
The death of #security
as we know it
Christoph Hartmann
@chri_hartmann
2. Hi, I am Chris. I am CTO
at Mondoo - leader in
Security Posture
Management
What is your
background?
Y
I co-created the open source
security projects DevSec Project
and InSpec, Co-Founded
Vulcano Security (acquired by
Chef Software) and was Director
of Engineering at Chef Software
@chri_hartmann
9. 9
🔥
Yearly increase of 20% of known vulnerabilities
🏎
Hackers use full automation to discover and hack targets, about 90% of exploits are
available within the first month after the CVE has been published
🐌
Rollout of fixes is way too slow
Issues outpace the fix
20. Interviewed and worked
with 100+ Sec/DevOps Leaders
Theme In their words…...
More organized threats Software is eating the world so hackers are having a feast
Wait days/weeks to data Coordinating over 30+ security tools to answer if we have the vulnerability and then waiting
for verification it’s been fixed
Security owns all the tools DevOps don’t have consistent access to what security uses, just their outputs aka a giant
spreadsheet
Security vendors are slow Their product roadmap is the same every year, so we hacked a solution to dump into Splunk
Unclear on the right priority for the business The trade off between shipping new features vs fixing what security wants us to fix.
Re-enforces good practices I need my teams to have a way continuous improve our posture and for management to
recognize the effort
27. 27
What are successful
security engineers using
Access: Every
developer and
security engineer has
access to the same
tooling
Coverage: security
tooling that supports
build and runtime
Automation: security
tooling that works
hand-in-hand with
automation
Extensible: security
tooling that has open
source foundation,
not hard-coded rules
1 2
3 4
28. 28
open source security
https://cnquery.io
Asset Inventory, search and gather
information about your
infrastructure
https://cnspec.io
Security Scanner, scan for
vulnerabilities and
misconfiguration
29. 29
Amazon S3 buckets do not allow public read access
S3 Buckets are configured with 'Block public access'
Easily ask questions with
GraphQL-based MQL