AppSec USA 2016 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

DevOps Connect [clear filter]
Friday, October 14


Serverless Security: Doing Security in 100 milliseconds

Serverless is the awesome future of cloud computing. This session will focus on practical security approaches for serverless in four key areas: software supply chain, delivery pipeline, data flow, and attack detection.


Serverless is a design pattern gaining a lot of traction in DevOps shops. The serverless pattern allows scale without managing the servers or processes running the application. This is done across the continuum of cloud–from storage as a service to database as a service but the center of serverless is Functions as a Service (FaaS). FaaS offerings on the market include AWS Lambda, Azure Functions, and Google Cloud Functions. Now processes run for milliseconds before being destroyed and then get instantiated for subsequent requests.


Security changes under serverless and our traditional modes of firewalling and hardening all the things just won’t cut it. Practices like vulnerability discovery, code scanning and intrusion detection change in a serverless architecture. Other changes for serverless include how applications are built and deployed to how teams are structured.


This session will focus on practical security approaches and the four key areas of serverless security: software supply chain, delivery pipeline, data flow and attack detection. Even if you don’t have any experience with serverless, don’t worry, in this session we will start with the basics and you will learn what serverless is (it’s still being defined) and practical patterns for serverless adoption.

avatar for James Wickett

James Wickett

James does most of his research and work is at the intersection of the DevOps and Security communities. He works as a Sr. Engineer at Signal Sciences and is a supporter of the Rugged Software and Rugged DevOps movements. Seeing the gap in software testing, James founded an open source... Read More →

Friday October 14, 2016 9:15am - 10:00am
Room C


Continuous Security: DevOps and Ongoing Authorization

Application security has changed dramatically from even just a decade ago. Today, if you do not build in security and deliver continuously, you are at risk. This is the story of how we have updated our practices to incorporate security at every phase, through the intersection of DevOps and Cybersecurity. The session will touch on lessons learned through real world experience and things you can do to begin integrating security into your DevOps pipeline through the use of ongoing authorization.  

avatar for Paula Thrasher

Paula Thrasher

Paula Thrasher is Director of Digital Services at CSRA. She has 20+ years experience in IT and has spent the last 15 years trying to implement Agile culture in the federal government. Paula's first Agile project was in 2001. Since then, she has lead over 15 programs and projects as... Read More →

Friday October 14, 2016 10:05am - 10:45am
Room C


DevOps to DevSecOps: a 2-dimensional view of security for DevOps

When it comes to looking at Security and DevOps, one has to look at it in two dimensions: 1. Securing the Application 2. Securing the Application Delivery Pipeline. Securing the application is focused on ensuring the application being developed and delivered, and the associated data are secure. That they are being built and delivered using Secure Engineering practices that ensure its security and integrity, and that of the business, and end-users.


Securing the Application Delivery Pipeline, focuses on securing the Delivery Platform itself - the application development and delivery tools, the Infrastructure and environments, configurations, automation tools, repositories, and associated Services and APIs are all secure.


This session will look at the security consideration that need to be taken, to put the Security in DevOps.

avatar for Sanjeev Sharma

Sanjeev Sharma

Sanjeev Sharma is an internationally known DevOps, and Cloud Transformation thought leader, technology executive, and published author. Sanjeev’s industry experience includes tenures as CTO and Worldwide Technical Sales Leader, Acquisition Integration Technical Leader, and IT Architect... Read More →

Friday October 14, 2016 10:45am - 11:20am
Room C


Where bits & bytes meet flesh & blood: Devops, Cybersafety, and the Internet of Things

We've heard software is eating the world; software is infecting the world. Our dependence on connected technology is growing faster than our ability to secure it - in areas affecting public safety and human life. Adding millions of lines of code and connecting everything to everything else exposes cyber physical systems to new accidents and adversaries. This is truly where bits & bytes meet flesh & blood. While many in security fear DevOps and see it as the end of security as we know it... maybe that's a good thing. Our best is not good enough. Despite best practices, modern SW and Security have allowed 100 of the F100 to lose IP and sensitive information - even our governments routinely succumb to adversaries. These failure rates cannot stand with the consequences of failure being measured - not in record count - but in human lives and GDP. Paradoxically, it may take DevOps to rise to these challenges. Rugged DevOps is finding un-obvious common ground and break throughs like SW supply chain principles, greater visibility and response agility, immutable infrastructure, and the like. We must be better. This is what better looks like.


avatar for Josh Corman

Josh Corman

Joshua Corman is a Founder of I am The Cavalry (dot org) and CSO for PTC. Corman previously served as Director of the Cyber Statecraft Initiative for the Atlantic Council, CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The... Read More →

Friday October 14, 2016 11:25am - 12:10pm
Room C


DevSecOps: A Peek Inside the Pipeline

Got it, DevSecOps…  now could you stop dropping the microphone and show me how.   It’s time for DevOps and Security to come together and show how tools and processes can make it possible for software developers and security professionals to unite in a common mission.  It’s not easy to bring everything together and make it possible to build better, safer software at scale.  Using developer tools like Jira, Jenkins, and Nexus; it is not only possible to increase the efficiency of software delivery but to strengthen applications at the same time.  Digging into these tools, we’ll take a look at how security defects and feature requests are now becoming part of a developer’s backlog.  And we’ll look at unique ways to evolve both DevOps and Security to increase the speed of finding and fixing security issues while deploying software and still enjoying your job. 

avatar for Shannon Lietz

Shannon Lietz

DevSecOps Lead, Intuit
Shannon Lietz is an award winning innovator with over two decades of experience pursuing advanced security defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s cloud... Read More →

Friday October 14, 2016 1:05pm - 1:50pm
Room C


Making Invisible Things Visible: Revealing Secrets from 25,000 Applications

Every software development organization on the planet relies on a software supply chain —but most can’t see it and don’t understand the volume of components flowing through it. In the 2016 State of the Software Supply Chain Report, I detailed the practices of over 35,000 software development organizations who consumed billions open source and third-party components in 2015. Across billions components downloaded, I found that 1 in 17 had a known security vulnerability.  I also found a similar ratio of components flowing through these software supply chains into finished applications.


Those leading AppSec and DevOps practices who have pursued improved visibility, supplier choices, and control mechanisms across their software supply chains have boosted developer productivity by as much as 30%, crumbled mountains of security debt, and shifted millions of dollars from sustaining operations to accelerating innovation. Yet the vast majority of organizations developing software are blind to their free-for-all consumption volume, patterns, and velocity. Their software supply chain practices are silently sabotaging efforts to accelerate development, improve efficiency and maintain the integrity of their applications.


Results from the report will be shared with attendees, including:


  • Using one of the latest versions of a software component can cut vulnerability ratio in half.
  • 75% of organizations lack policies that control the use of open source and third-party components
  • 97% of development organizations lack any vetting process for components being electively procured for use in applications.


This discussion is not intended to simply shed light on bad practices.  It is about making your software supply chain visible. Attendees will learn how those on the forefront of Development and Application Security are improving the quality and security of components used across their software supply chains.

avatar for Derek Weeks

Derek Weeks

VP and Rugged DevOps Advocate, Sonatype
Derek is a huge advocate of applying proven supply chain management principles into development and application security practices to improve efficiencies, reduce security risks, and sustain long-lasting competitive advantages. Over the past two years, Derek led the largest and most... Read More →

Friday October 14, 2016 1:55pm - 2:30pm
Room C


Moving to the Left: DevOps practices and the changing role of SecOps

As shown in the 2016 State of DevOps Survey, DevOps practices are changing the role of security teams, moving them “to the left” in the SDLC as part of the design phase and no longer simply validating production as being secure. Result: 50% less time remediating security issues.


The State of DevOps Survey has been running for the last 5 years, and the past two in particular have shown that DevOps practices are moving beyond just “Dev” and “Ops” to involve security teams as well as other areas of the business. Various labels are being used to describe this world: SecDevOps, DevSecOps, RuggedDevOps, but the critical inflection point is that the combination of strong automation platforms, continuous delivery, infrastructure-as-code and version control are all enabling security teams to validate and secure apps and infrastructure at the design phase. This minimizes the amount of manual validation of production by security teams, enables faster remediation of security issues and ultimately results in more secure deployments, but only if security teams take this opportunity to revisit existing practices that have built up over time.


In this talk we’ll be covering the high level results of the 2016 State of DevOps Report, the changing role of security teams as well as some anonymized user stories illustrating both how to best take advantage of a growing DevOps practice within your organization and major missteps observed in the field.

avatar for Bill Weiss

Bill Weiss

Sr Manager of SysOps, Puppet
As a red-and-blue-team member turned sysadmin herder, Bill Weiss had an early introduction to automation in security, and he's spent the rest of his career trying to bring that idea to more places. He started out working in the .gov, moved to Chicago to spend several years at a financial... Read More →

Friday October 14, 2016 2:35pm - 3:10pm
Room C


Glad You Could Join Us: Bringing Security into the DevOps Fold

We all know that “DevOps” is a pormanteau of Development and Operations, but where is the “Sec”? Security has long been the red-headed stepchild of the DevOps cultural movement. The time has come to fully integrate traditional security testing practices into a Continuous Delivery pipeline.


We will discuss the current state of security in DevOps, what it means to have a security pipeline, and some challenges and solutions of such a transformation.

avatar for Bryan Batty

Bryan Batty

Having spent more than ten years building secure software applications, Bryan Batty is now a Managing Consultant for Coveros, and focuses primarily on security and DevOps transformations, especially as it relates to building security into the software development pipeline. Over the... Read More →

Friday October 14, 2016 3:15pm - 3:50pm
Room C


Mapping the Risk in Your Value Stream

Mapping can help visualize the flow between your customers and the raw materials your business uses to provide them with products or services. This session will examine how mapping risk onto your value stream can improve your chances of success and keep failures bounded to expectations.



While enumerating system states may increase our understanding of our options it does not account for probabilities and likely outcomes. Any attempt to instantly transition a system to a desired state is usually expensive and unsuccessful.


By visualizing our value stream and weighing our options we’re able to trade the high risk for lower but more likely payouts. These low risk wagers provide the intermediate steps needed to reach our goals without taking some huge leap of faith.


By painting a more complete picture with our numbers we’re enabling our audiences to make educated decisions. We’ll look at different types of value stream mapping techniques and how to automate data collection for different types of metrics.


  • Basic Value Stream Mapping
  • Wardley Mapping
  • Five Required Families of Metrics
  • Enumerating Risks
  • Automating Analysis
  • Taking Action with Data
  • Evolving System Models

avatar for Chris Corriere

Chris Corriere

Chris Corriere has been working with data, phones, networks and writing software for over fifteen years. His background in mathematics and engineering has allowed him to adapt to new and industry specific technologies and provided many unique consulting opportunities. As a devOps... Read More →

Friday October 14, 2016 3:55pm - 4:30pm
Room C