BruCON 0x0E has ended
Back To Schedule
Thursday, September 29 • 10:30 - 12:30
Embrace Secure Defaults, Block Anti-patterns, and Kill Bug Classes FILLING

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Limited Capacity filling up

Between Agile, DevOps, and infrastructure as code, development is happening faster than ever. As a security team, it can be tough to keep up. How can you help empower your engineering counterparts to ship software quickly and securely?

An increasingly popular answer is secure defaults - make it easy to do the secure thing, and hard to do the insecure thing, whether that’s parsing XML files, interacting with the database, authorization, or any other security-relevant functionality.

Done properly, secure defaults (also called “guardrails” or building a “paved path”) can effectively eliminate classes of vulnerabilities from ever occurring in the first place, effectively scaling your security team. The power of secure defaults have been praised by established companies like Netflix, Google, Facebook, and Microsoft as well as rapidly growing mid-sized companies and even start-ups.

Security maturity frameworks such as BSIMM, OWASP SAMM and NIST SSDF indicate that the most mature and efficient security programs will tailor these secure defaults to their organization. Many security tools allow such customization, but they are not all created equally. With Semgrep creating custom rules is done in a simple YAML format and the first rule can be written within several minutes.

This workshop will teach you:
• Why the current approach to software security is not working to reduce vulnerabilities
• Why developers should be considered early and often in the SDLC
• How a paved security path for developers can create a higher standard of secure code, without compromising speed of delivery
• How to enforce security best practices unique to your organization (for the workshop we will be using the open source static analysis tool Semgrep)

This workshop will be part big picture ideas and best practices, and a lot of hands on examples and demos. You’ll leave with some insights, open source tools, and actionable tips to get started immediately.

avatar for Claudio Merloni

Claudio Merloni

Claudio is a veteran security expert. After completing his Master in Computer Engineering at the Politecnico di Milano University, he started a now more than 15 years long journey in the security space. Security consultant first, then moving through different roles, from technical... Read More →
avatar for Pieter de Cremer

Pieter de Cremer

Pieter De Cremer is a long-time security enthusiast. He joined Secure Code Warrior as part of an internship in 2015. During his master he continued to work at this company and wrote more than 100 rules for Sensei, their IDE security plugin. During this time he was closely involved... Read More →

Thursday September 29, 2022 10:30 - 12:30 CEST
05. Boscoli