HF 2022 - Call for Papers

AppSec - The missing link
2022-10-30, 11:00–11:50, Track 1

Achieving the “Shift Left” transformation is the goal of many organizations when it comes to application security. To do so, important amounts of efforts and money are spent to include security activities in the CI/CD pipeline. Such activities are often considered as both the starting point and the target of the shift left transformation. In fact, security activities in the CI/CD are just a portion of an organization journey to achieve the shift left. Indeed Secure Software Development Practices (SSDLC) as well are an important portion of that journey but there are other key aspects which are less often considered.

In this talk we will present prerequisites, dependencies and outcomes of security activities integration in CI/CD organizations faces during their shift left journey. We will focus on the importance of development and security practices outside of the normal scope of SSDLC. In other words, what should be considered aside pure AppSec practices in the road to success of the shift left journey.


Introduction: (5 min)

Section brief:

Laying out the context and purpose of the talk.

Section topics:

  • Speaker presentation

  • Purpose and context of the talk

  • Presentation plan

Prequisistes: (20 mins)

Section brief:

Explore the relation between having a mature development practices and the ability to include security activities in it.

Section topics:

  • Coding Practices

    The relation between having good general coding practices and the deployment of static analysis tools (SAST) in the CI/CD. Examples of coding practices: shared libraries, standard development project structure and code quality standards.

  • Testing Practices

    The relation between having good general testing practices and the deployment of dynamic analysis tools (DAST) in the CI/CD. Examples of testing practices: data backup & restore, configurable features and negative testing.

  • Release Practrices

    The relation between having good general release practices and the deployment of security gates in the CI/CD. Examples of releases pratices: automated releases notes, releases artifacts management and release blocking.

Dependencies: (10 mins)

Section brief:

Explore the relation between having mature processes and having the ability to manage the security defects efficiently.

Section topics:

  • Vulnerability management:

    The relation between having a good vulnerability management processes and the management of security defects. Example of vulnerability management: internal vulnerability database, automated triage rules and vulnerability resolution recipe.

  • Defect grooming and handling:

    The relation between having a good defect grooming process and the management of security defects. Example of defect grooming: defect to task mapping, time to resolution tracking, bug prioritization and efforts planning.

Outcomes: (10 mins)

Section brief:

Explore the relation between having having ressources to support security in CI/CD and the success of the shift left.

Section topics:

  • AppSec Op team:

    The relation between providing support of the security activites in the CI/CD and maintenance of the shift left velocity. Example of support: tools integration issues, tools evolution and tools execution support.

  • Funding

    The relation between having a recurrent budget for security activites in the CI/CD and maintenance of the shift left velocity.

Conclusion: (5 min)

Section brief:

Summary of the presentation content, statement of the underlying message and opening to continue the shift left journey

Section topics:

  • Wrap up

  • Opening


Are you releasing a tool? – no Was this talk already given? – no