Threat Modeling and (Extreme) Shift Left with Anderson Dadario

Web Security Dev Academy WAITING LIST: http://links.dev-academy.com/b8F Secure your spot and receive exclusive bonuses 🎉 In this conversation, Anderson Dadario, the founder of DevOps.security, discusses the importance of integrating security into the software development process. He explains the differences between traditional DevOps and DevSecOps, emphasizing the need for security by design and shifting security left in the development cycle. Anderson also provides insights into conducting a threat modeling exercise for a web application, identifying potential risks, and implementing mitigation techniques. He highlights the importance of understanding the business requirements and balancing security measures with the risk appetite of the company. Additionally, he suggests quick wins for developers to integrate security into their DevOps workflow. The conversation covers different approaches to threat modeling, common security vulnerabilities for developers, spectacular exploitation situations, and final thoughts and resources. Takeaways Integrating security into the software development process is crucial for building secure applications. DevSecOps focuses on security by design and shifting security left in the development cycle. Threat modeling exercises help identify potential risks and implement mitigation techniques. Understanding the business requirements and balancing security measures with the risk appetite of the company is essential. Quick wins for integrating security include using tools like dependency scanners, conducting threat modeling sessions, and standardizing security processes across teams. Threat modeling can be approached in different ways, including manual, automated, and scaled approaches. Outdated frameworks and lack of data validation and authorization checks are common security vulnerabilities that developers need to be aware of. Spectacular exploitation situations can occur when critical vulnerabilities are discovered in production applications. Remaining curious and continuously learning is essential for navigating the complex field of security. Connect with Us: Bartosz: - https://github.com/bartosz-io - https://twitter.com/bartosz_io - https://www.linkedin.com/in/bpietrucha Anderson: - https://www.linkedin.com/in/andersondadario/ - https://devops.security/ Thank you for tuning in to the Dev Academy Podcast. Enhance your web security insight with us as we explore the fascinating world of technology with industry experts. #DevSecOps #WebSecurity #SoftwareDevelopment #ThreatModeling #CyberSecurity #SecurityByDesign #DevOpsSecurity #SecureCoding