Fall 2024 LeanAppSec Live

No, it's not enough to simply satisfy minimal "check the box" compliance requirements, react to incidents, or fix security vulnerabilities after they're in production. Focusing only on the "right side" of the process is a recipe for eventual disaster, and is ultimately costly to pursue. You need to focus on shifting habits and behaviors to proactively address issues long before they reach production. You need to build a culture that is full of security best practices: training, threat modeling, architecture reviews, and so on.

But HOW? In this talk, we'll discuss techniques for shifting your culture and motivating your employees to make the right choices by incentivizing and rewarding their behaviors. We'll focus on the "people" side, and use proven techniques from the fields of behavioral science and psychology to bring your awareness and AppSec game to the next level. Security takes more than just tech and this is the piece you've been missing to make a lasting difference in your company's security posture.

Takeaways

• An understanding for why proactive security practices are needed and why tech is not enough to make a lasting difference
• Techniques for motivating your employees and developers to take action
• Ideas for creative rewards and incentives that make a difference
• What metrics to collect and report to leadership for the support you need to shift your culture

Compliance is usually treated as a "check the box" requirement. Which means, when a new compliance requirement drops it can feel like someone just threw a wrench into your well-oiled machine—panic sets in, and everyone scrambles. If you’ve got your bases covered in a few key areas, you’re much less likely to panic.

But...

What are those bases that you need to keep a close eye on? 

Where do you start? 

How can you use compliance requirements to drive AppSec?

What are some of the outcomes you can expect from this effort?

Takeaways

• Overlapping requirements between various compliances, such as FedRAMP and PCI DSS
• How to identify where your security program stands today
• Actionable next steps to help you build a process to monitor key areas
• What metrics to collect and report to leadership for the support you need to make this shift

AppSec is laser-focused on security, Product is driving toward the next big feature, and the Dev team is caught in the middle...trying to keep up with every new request. How can these teams work together when priorities seem so different?

In this session, we dive into the real-world challenges of aligning these teams, featuring three experts with unique perspectives:

• Camilla,  principal engineer, software architect, and an experienced developer, to share her insights on how security fits into a dev’s busy workflow‍
• Jamie, who transitioned from security engineering to product management, will offer his take on why new features often trump security concerns‍
• Darren, our in-house AppSec expert, will discuss how security can become a shared priority without disrupting the dev flow

Takeaways

• Why security focus often shifts, especially when devs are juggling product demands
• Find out what developers really think about security and how it integrates into their priorities
• Why product and revenue goals often outweigh security concerns
• Why developers are often more comfortable with certain risks

It’s often assumed that Developers have this mindset of, "Just let me code! I’ve got a ton of stuff to get done. I’m not a fan of meetings or small talk—I just want to build things." Meanwhile, as an AppSec engineer, the job is all about mentorship, advocacy, and influencing change. Shifting the culture towards better security practices means nudging teams to adopt more secure habits- prompt them to patch what’s needed, prioritize security. But how do you do that without coming off as a nuisance or feeling like, "Why does everyone seem to hate me?"

Let’s be real—the relationship between developers and AppSec engineers isn’t always on the best footing. It’s a tough spot to be in.

In this session, we discuss successful communication techniques, tactics and processes that have helped bridge the gap between developers and AppSec leaders. 

Takeaways

• What’s the first step when you feel like it’s ‘security against the world’?
• What can AppSec engineers do to understand Developers better?
• How much should AppSec contribute to code building
• Common issues between AppSec and Devs - how can you address and take constructive steps to combat them? 
• Actionable next steps