Security Superstream: DevSecOps

Chloé Messdaghi: Introduction (5 minutes) - 8:00am PT | 11:00am ET | 3:00pm UTC/GMT

• Chloé Messdaghi welcomes you to the Security Superstream.

Kelly Shortridge: Watering the Roots of Resilience—Learning from Failure with Decision Trees (45 minutes) - 8:05am PT | 11:05am ET | 3:05pm UTC/GMT

• Software systems are complex, sociotechnical systems; without humans, software systems can’t adapt. But understanding your system’s reality and how it adapts in response to changing conditions is no small feat. Kelly Shortridge explores how software engineers can align their mental models of the system with reality. You’ll learn about the necessity of resilience stress testing (i.e., chaos experiments) to expose your system’s messy reality, see how to document and visualize your mental models through decision trees to inform design improvements and further experiments, and examine some practical open source tools to apply in your everyday work. By the end of the session, you’ll understand how decision trees can empower you to reason about stressors and surprises in systems.
• Kelly Shortridge is a senior principal at Fastly and lead author of Security Chaos Engineering: Sustaining Resilience in Software and Systems (for O'Reilly). She’s best known as an expert on resilience in complex systems, the application of behavioral economics to cybersecurity, and bringing security out of the dark ages. Kelly is also a frequent keynote speaker, advisor, and author and has been a successful enterprise product leader, entrepreneur (with an exit to Crowdstrike), and investment banker.

Cassie Crossley: Supply Chain Security (45 minutes) - 8:50am PT | 11:50am ET | 3:50pm UTC/GMT

• Thousands of vulnerabilities are announced every month. A product’s open source or third-party commercial libraries often have vulnerabilities, but is that the only concern? What should a vendor be doing to secure its supply chain? Join Cassie Crossley to find out how a very large OEM has structured more than 13 supply chain security initiatives, including R&D security, secure development, SBOMs, vulnerability management, and third-party risk management.
• Cassie Crossley is vice president of supply chain security in the global Cybersecurity & Product Security Office at Schneider Electric. An experienced cybersecurity technology executive in information technology and product development, she’s also the author of Software Supply Chain Security, from O'Reilly. Cassie has many years of business and technical leadership experience in supply chain security, cybersecurity, product and application security, software and firmware development, program management, and data privacy. She’s a member of the CISA SBOM working groups and presents frequently on the topic of SBOMs and supply chain security.
• Break (10 minutes)

Laura Bell Main: So Long, Secure Coding—Shifting from Syntax to Secure Software Development Processes (45 minutes) - 9:45am PT | 12:45pm ET | 4:45pm UTC/GMT

• If you still need to start shifting left, you're late. The whole world has been shifting application security left for about five years, especially in the wake of DevSecOps. Do you still focus on "secure code," even though code is only part of the picture when protecting your data, systems, and people? Laura Bell Main examines this focus on secure code and examines how to move toward secure development, providing practical actions you can take throughout your SDLC, from initial ideas to ongoing systems maintenance and support that you can apply today.
• Laura Bell Main is cofounder and CEO of SafeStack, an online education platform offering flexible, high-quality, and secure development training focused on building application security skills, practices, and culture across the entire engineering team. She’s also the coauthor of Agile Application Security (O’Reilly) and Security for Everyone. With over 20 years of experience in software development and application security, she’s an experienced conference speaker, trainer, and panel member and has spoken at events such as BlackHat USA, NDC, RenderATL, and OSCON.
• Break (5 minutes)

Diana Kelley: Protect AI with MLSecOps (45 minutes) - 10:35am PT | 1:35pm ET | 5:35pm UTC/GMT

• The potential of AI is tantalizing. From automating routine writing tasks to modeling health outcomes for large populations, the technology is rich with promise. The more you rely on AI and ML, the more important it is that those systems are secure and resilient. Diana Kelley explains why the time is now to adopt an MLSecOps approach and provides key guidance on how to build security into the machine learning lifecycle.
• Diana Kelley is the chief information security officer for Protect AI. Previously, she was cybersecurity field CTO for Microsoft, global executive security advisor at IBM Security, CTO and cofounder of SecurityCurve, and has held other leadership positions at Symantec, Burton Group (now Gartner), KPMG, and Salt Cybersecurity. She serves on several boards, including WiCyS, the Executive Women’s Forum, InfoSec World, and the CyberFuture Foundation. She’s also a sought-after keynote speaker, the host of BrightTALK’s The (Security) Balancing Act, and coauthor of Practical Cybersecurity Architecture and Cryptographic Libraries for Developers.

Chloé Messdaghi: Closing Remarks (5 minutes) - 11:20am PT | 2:20pm ET | 6:20pm UTC/GMT

• Chloé Messdaghi closes out today’s event.