The lecture titled "Automating AppSec" delves into the critical challenges associated with manual application security (AppSec) processes and outlines strategic approaches for incorporating automation to enhance efficiency, accuracy, and scalability. The lecture is structured to highlight the inherent difficulties in traditional AppSec practices, emphasizing the labor-intensive triage of issues, the complexity of identifying responsible owners for security flaws, and the challenges of implementing security checks within CI/CD pipelines. Furthermore, it provides actionable insights on automating these processes to not only mitigate these pains but also to enable a more proactive and scalable security posture within development cycles.

The Pains of Manual AppSec:

This section will explore the time-consuming and error-prone nature of manually triaging security issues, including the difficulty of prioritizing vulnerabilities based on their actual risk to the organization. It will also discuss the challenges in determining ownership for remediation tasks, a process often complicated by cross-functional teams and microservices architectures. Additionally, the inefficiencies of manual checks within CI/CD gates will be examined, highlighting how they can delay deployments and introduce security risks.

Automating CI/CD Gates:

Here, the focus shifts to the automation of security within the CI/CD pipelines. The lecture will cover methods to seamlessly integrate security tools that automatically scan for vulnerabilities as part of the build process, thereby ensuring that security is a core component of the development lifecycle. Strategies for configuring automated gates that can block or flag builds based on the severity of detected issues will be discussed, ensuring that only secure code progresses through the pipeline.

Triaging Issues with Automation:

This segment addresses how automation can be leveraged to intelligently triage and prioritize security issues. It will cover technologies and methodologies for automatically assessing the context and potential impact of vulnerabilities, facilitating quicker and more accurate decision-making. The use of automated alerting and reporting mechanisms to ensure the right stakeholders are informed in a timely manner will also be discussed.

Identifying Ownership Automatically:

Automating the process of identifying who owns the responsibility for fixing specific security issues is critical for efficient remediation. This part of the lecture will explore tools and practices for mapping vulnerabilities to code owners, leveraging version control and project management tools.

Three Tips to Scale the Shift Left Program:

Finally, the lecture will offer three practical tips for organizations looking to scale their Shift Left security programs. These will include recommendations on fostering a security culture within development teams, employing DevSecOps principles to integrate security throughout the development process, and utilizing machine learning to improve the accuracy and efficiency of automated security tools.

By the end of this lecture, attendees will have gained a comprehensive understanding of the limitations of manual AppSec practices and how automation can address these challenges. More importantly, they will leave with actionable strategies and tips to implement and scale automated AppSec solutions within their organizations, ultimately leading to more secure software development processes.

Neatsun Ziv, Co-Founder and CEO

Neatsun Ziv is the CEO and co-founder of OX Security, the first end-to-end software supply chain security solution for DevSecOps. Before founding OX, he was the VP Cyber Security at Check Point, where he oversaw all cyber initiatives. His team was one of the first to respond to SolarWinds, NotPetya, and other major attacks, working closely with Interpol, Local CERT and other enforcement agencies.

Neatsun is a passionate and seasoned entrepreneur with vast cyber security experience. He served in the IDF Cyber Intelligence Unit and is a frequent speaker at global forums, including CPX, frequently being selected as one of the top talks.

Neatsun holds a B.Sc from Israel’s Open University (honors) and an MBA from the Technion (Magna Cum Laude).