Listening to @johnbdickson at #RMISC - AppSec in a World of Digital Transformation
@johnbdickson Businesses are demanding speed in software development over and above nearly every other requirement. This can be an opportunity for AppSec teams – @johnbdickson at #RMISC #RMISC2019
"Digital Transformation" is a business-oriented term, and as such it's a little ill-defined. It's basically code for "we don't want to get stomped by people like Netflix who are moving fast" – @johnbdickson at #RMISC #RMISC2019
Having systems that all talk to each other (probably through web services) leads to better customer experience. It's a competitive advantage, and that drives what the C-suite calls #DigitalTransformation@johnbdickson at #RMISC #RMISC2019
The market pressure is 'push services to market faster, with better user experience'; time-to-market beats almost every other consideration – @johnbdickson at #RMISC #RMISC2019
New features go from idea to rollout in days/weeks. Organizations are reorganizing around "Digital". CDO (Chief Digital Officer)/CIO/CTO does worry about security, but it's outweighed a lot by time-to-market – @johnbdickson at #RMISC #RMISC2019
#DigitalTransformation is also driving process and tech changes in software development: microservices, #Serverless, CI/CD, and new(er) languages and platforms – @johnbdickson at #RMISC #RMISC2019
The 1907, one-dimensional, "assembly line" AppSec programs and toolchains don't work in a #DevOps world. Which means they will get laughed at if we apply them to a #DigitalTransformation organization – @johnbdickson at #RMISC #RMISC2019
Most SAST / DAST scanners on the market assume interactive web applications developed in popular compiled languages, and break down on mobile and microservices and such – @johnbdickson at #RMISC #RMISC2019
PCI DSS said "thou shalt have a pen test or a WAF", but WAFs are generally not well-managed, so that's a big disservice – @johnbdickson at #RMISC #RMISC2019
Modernize your AppSec: tune it to the tech stacks you're actually using; make threat modeling faster (but do it 100%!); move tests to CI/CD as much as possible; worry more about trust – @johnbdickson at #RMISC #RMISC2019
Provide #DevOps teams with a reference cloud architecture; annotate it extensively. No guidance means devs will likely roll their own which may not get adequate security attention – @johnbdickson at #RMISC #RMISC2019
Trust boundaries and threat modeling become more important as "faster testing" needs lowers testing coverage and quality – @johnbdickson at #RMISC #RMISC2019
Understanding what your scanners are good at and bad at becomes increasingly essential. Your AppSec people need to be experts about your scanner -- language/platform support and scan quality can vary even within a given product – @johnbdickson at #RMISC #RMISC2019
AppSec people need to help build pipelines so security can be baked in. – @johnbdickson at #RMISC #RMISC2019
Dual-track testing -- the pipeline tests, and the comprehensive system tests (NB: that's exactly what @Veracode recommends and has been improving support for over the last couple of years) – @johnbdickson at #RMISC #RMISC2019
#DigitalTransformation + changing tech stacks = a reset for AppSec

But it's an opportunity; and if you don't take it, you'll recreate the same problems you inherited – @johnbdickson at #RMISC #RMISC2019
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Darren, his eyes uncovered!
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!