How I learned to quit piling up bugs and help the developer deploy secure code
CI/CD really challenges security activities because those activities are often highly manual and when they are automated, they remain time consuming, with complex tool installation or operation. Beyond the basics (automate, hook results into other ecosystem tools, etc.). what are the tricks to getting common security activities to work in a truly continuous process?
In this talk, John will discuss particulars of supporting active development with static analysis with the purpose of accelerating developers' deployment of secure code. The talk will take a tool-agnostic stance, considering those aspects of SAST implementation that work for OSS and Commercially-available tools; for small organizations and for large. Considering almost two decades of experience from a vendor's assessment practice, and that from organizations' security initiatives, he'll cover what's worked, what hasn't, and where to spend your time to really make an impact on the security of your code.