Modern Application Stacks & Security

I had the pleasure to give a presentation at the Security Interest Group Switzerland Technology Conference about modern application stacks and how they can be used to improve infrastructure and application security posture – the slides can be found here. Besides seeing a lot of old friends, I particularly enjoyed a round table discussion on security integration into CI/CD pipelines. There was a relevant exchange on approaches that actually work and were tested in environments beyond just recommending some container scanner (product). One participant had an interesting case study on how they enabled developers to maintain WAF policies in configuration files in their code repository including automated deployment to the WAF. He also emphasized that the environments with actual security benefits resulted from a close cooperation between development and security team (were domain knowledge was combined 😉 ).




Continue reading

Agile Development & Security

I’m a big fan of Chris Gates’ publications on DevOops and From Low to Pwned. The content reflects a lot of issues that we also experience in many assessments in general and assessments in agile environments in particular. In addition, we were supporting several projects recently that were organized in an agile way. In this post, I want to summarize some thoughts on how security work can/should be integrated into agile projects. Continue reading “Agile Development & Security”

Continue reading