Listening to @johnbdickson at #RMISC - AppSec in a World of Digital Transformation

@johnbdickson Businesses are demanding speed in software development over and above nearly every other requirement. This can be an opportunity for AppSec teams – @johnbdickson at #RMISC #RMISC2019

"Digital Transformation" is a business-oriented term, and as such it's a little ill-defined. It's basically code for "we don't want to get stomped by people like Netflix who are moving fast" – @johnbdickson at #RMISC #RMISC2019

Having systems that all talk to each other (probably through web services) leads to better customer experience. It's a competitive advantage, and that drives what the C-suite calls #DigitalTransformation – @johnbdickson at #RMISC #RMISC2019

The market pressure is 'push services to market faster, with better user experience'; time-to-market beats almost every other consideration – @johnbdickson at #RMISC #RMISC2019

New features go from idea to rollout in days/weeks. Organizations are reorganizing around "Digital". CDO (Chief Digital Officer)/CIO/CTO does worry about security, but it's outweighed a lot by time-to-market – @johnbdickson at #RMISC #RMISC2019

#DigitalTransformation is also driving process and tech changes in software development: microservices, #Serverless, CI/CD, and new(er) languages and platforms – @johnbdickson at #RMISC #RMISC2019

The 1907, one-dimensional, "assembly line" AppSec programs and toolchains don't work in a #DevOps world. Which means they will get laughed at if we apply them to a #DigitalTransformation organization – @johnbdickson at #RMISC #RMISC2019

Most SAST / DAST scanners on the market assume interactive web applications developed in popular compiled languages, and break down on mobile and microservices and such – @johnbdickson at #RMISC #RMISC2019

PCI DSS said "thou shalt have a pen test or a WAF", but WAFs are generally not well-managed, so that's a big disservice – @johnbdickson at #RMISC #RMISC2019

Modernize your AppSec: tune it to the tech stacks you're actually using; make threat modeling faster (but do it 100%!); move tests to CI/CD as much as possible; worry more about trust – @johnbdickson at #RMISC #RMISC2019

Provide #DevOps teams with a reference cloud architecture; annotate it extensively. No guidance means devs will likely roll their own which may not get adequate security attention – @johnbdickson at #RMISC #RMISC2019

Trust boundaries and threat modeling become more important as "faster testing" needs lowers testing coverage and quality – @johnbdickson at #RMISC #RMISC2019

Understanding what your scanners are good at and bad at becomes increasingly essential. Your AppSec people need to be experts about your scanner -- language/platform support and scan quality can vary even within a given product – @johnbdickson at #RMISC #RMISC2019

AppSec people need to help build pipelines so security can be baked in. – @johnbdickson at #RMISC #RMISC2019

Dual-track testing -- the pipeline tests, and the comprehensive system tests (NB: that's exactly what @Veracode recommends and has been improving support for over the last couple of years) – @johnbdickson at #RMISC #RMISC2019

#DigitalTransformation + changing tech stacks = a reset for AppSec

But it's an opportunity; and if you don't take it, you'll recreate the same problems you inherited – @johnbdickson at #RMISC #RMISC2019