Hackers of India

Agility Broke AppSec. Now It’s Going to Fix It.

By Vandana Verma Sehgal , Roy Erlich , Emil Vaagland , Seth Kirschner on 12 Aug 2022 @ Defcon : Appsec Village
πŸ“Ή Video πŸ”— Link
#security-testing #secure-development #cicd-pipeline
Focus Areas: πŸ” Application Security , βš™οΈ DevSecOps

Presentation Material


URL : https://www.youtube.com/watch?v=mi-deeLpqEo

AI Generated Summary

The panel discussion centered on the evolving challenges of application security (AppSec) within agile development environments, particularly the tension between developer velocity and security controls. A primary challenge identified was the severe imbalance between the scale of development (hundreds of engineers) and limited AppSec staffing, often a ratio of 200:1 or worse. This was compounded by budget constraints for tools, the difficulty of hiring specialized talent, and the friction caused by rolling out tools that generate false positives and block developer workflows.

AppSec was defined broadly as any tool or process integrated into the development lifecycle, extending far beyond traditional code scanning to include infrastructure-as-code, CI/CD pipelines, cloud configurations, APIs, and product security. Its scope now overlaps significantly with cloud security and DevSecOps. The panelists stressed that AppSec’s priority stems from applications being the primary external attack surface; a breach there enables lateral movement, making it foundational to overall organizational risk.

Key techniques and tools emphasized included:

  1. Automation: Essential for managing scale and reducing manual toil, though not a replacement for manual testing.
  2. Visibility: The critical first step in any program, requiring comprehensive inventory of assets, pipelines, and code repositories, often achieved through developer interviews.
  3. Bug Bounties: Highlighted as a powerful method to demonstrate tangible risk reduction and quantify exposure for executive buy-in.
  4. Security Champions: A force-multiplier for scaling security culture and knowledge within development teams.
  5. Focus on Basic Hygiene: Prioritizing fundamental practices (e.g., configuration management, dependency scanning) over chasing new technologies without understanding their risks.

Practical takeaways included the necessity of a long-term (36+ month) strategy built on executive communication that quantifies risk in business terms (reputation, revenue impact). For new programs, the consensus was to start with visibility and vulnerability discovery (via scanning or bug bounties) before heavy tool investment. The “dream” program with unlimited resources would still prioritize hiring skilled engineers over tools, as tool deployment and tuning require significant human effort. A major, often overlooked risk is the security debt acquired through mergers and acquisitions, necessitating thorough application due diligence. Ultimately, AppSec success depends on integrating security into the development process without impeding speed, fostering a collaborative culture, and maintaining continuous adaptation to the changing threat landscape.

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview β€” always refer to the original talk for authoritative content. Learn more about our AI experiments.