DevSecCon London 2018 takeaways

I recently visited DevSecCon London 2018 and kept notes of my takeaways. Read about them in this Google Doc and feel free to comment on it.

IoT security

Here's the best recent article/opinion I've read on IoT security, written by Bruce Schneier.

It touches upon the market dynamics and covers the inevitable government regulation.

Very well put! Highly recommended read.

Handy tool to check CSP

https://blog.thomasorlita.cz/vulns/google-csp-evaluator/

Useful to defenders and attackers (bug bounty hunters?) alike.

Sec tools: Should you buy or build?

Are you contemplating buying a security blinky box that will solve your problem? Could the team build something similar from scratch or re-using open source components? Valid dilemma.

This should help. Especially the analysis of steps #2, #3 and #4.

Lessons on implementing SAST

Long but great reading on how Google does SAST. Contains things that didn't work for them and what they did to end up with working solutions.

The Lessons and Conclusion chapters are must read! Especially for anyone that tries to implement SAST in an organization.

Signal Sciences devops-sec roadmap

Signal Siences published The devops roadmap for security in 2016. I just read it and found it quite easy and interesting. Obviously, it's about integrating security in a devops organization.

Most things they touch on can also be found elsewhere, but:

• page 14 makes clear why a good engineering culture is important in general and in particular for security (hint: because there's not enough security engineers and you need others to do some of the work)
• pages 15-16 are must read; they outline Lean Security and what we must do right to not be rejected by the delivery organization