1、#SECTORCA BlackHatEventsHow to Scale AppSec Without Scaling Security HeadcountWith Mario Lacroix&Will Yeager#SECTORCA BlackHatEventsSpeaker BiosMario LacroixMario is an Engineer with specializations in microelectronics,computer science,and security.For the past 19 years,Mario has worked at Accenture
2、,inside the Cloud and Application Security group.Will YeagerWill is a Cybersecurity Consulting Manager at Accenture where for 13 years hes helped clients tackle complex challenges across application security,SOC transformation,machine learning,and infrastructure management.#SECTORCA BlackHatEventsBu
3、siness(Requirements)Use Cases Threat ModelsDevelopment(Continuous Integration)Repo,Artifacts SAST,SCATest(Continuous Delivery)Testing URL DAST,API Pen TestOperations(Production)Infrastructure&production systems Bug BountySDLC Meets SecurityTypical ActivitiesOld Duration/Turn-Around TimeNew Duration/
4、Turn-Around TimeThreat ModelingWeeksNear Real-TimeSAST Scanning&False Positive AnalysisDays(multiple teams interacting)Self-Service(on Developers schedule)DAST Scanning&False Positive AnalysisDays(multiple teams interacting)Self-Service(on Developers schedule)Pen TestingWeeksNear Real-TimeInfra Fixe
5、sMultiple sprints(multiple teams interacting)Branch with fixes ready(on Developers schedule)#SECTORCA BlackHatEventsCustom DevOps Security ApproachSecurity Requirements(ArcBot)Developers Advisor(AppSecBot)Security Test Lifecycle(PenBot)Secure Prod(Gating)Visibility(AppNav)Business(Requirements)Use C
6、ases Threat ModelsDevelopment(Continuous Integration)Repo,Artifacts SAST,SCATest(Continuous Delivery)Testing URL DAST,API Pen TestOperations(Production)Infrastructure&production systems Bug Bounty#SECTORCA BlackHatEventsDevelopment PrioritizationFunctional Requirements GatheringNon-Functional Requir