Secure Software Summit 2022

Join us for a day on the latest methods and breakthroughs in secure coding and deployment practices

________________________________________________________________

We are very excited about the upcoming inaugural Secure Software Summit, which brings together leading innovators and practitioners of secure software development on January 27, 2022. This is an event designed for all who build code, make it secure, and want to do it faster, easier, more efficiently, earlier, and more accurately from the start.

ShiftLeft, of course, is more than our company name; it’s an exciting approach to reducing the impact of vulnerabilities in code. Securing code earlier and better has become a discipline unto itself, and we decided to sponsor a day devoted to “Why” and “How To” for the AppSec and development community at large.

Secure Software Summit will be a virtual conference because this allows for more direct interaction while getting around the unpredictability of COVID. It’s free, and it’s a single concentrated day: Thursday, January 27, 2022. Besides the keynote sessions and interactive panels, you’ll have access to hands-on workshops and some very useful techniques and methods. Plan on taking home mental frameworks and new approaches that you can put into action very quickly.

Vickie Li

We assembled a lineup of experts who definitely “walk the walk” — for example, you may recognize our developer-evangelist Vickie Li, author of ebooks on mistakes and pitfalls to avoid. She’ll be leading an afternoon session with ShiftLeft Staff Scientist, Suchakra Sharma, on:

Analyzing Source Code for Vulnerabilities.

The morning kicks off at 9:00 AM PT with Josh Corman, former Chief Strategist for the CISA COVID Task Force. Josh is known as the founder of the Cavalry (dot org) and brings great perspective from his recent role at CISA and his years in cybersecurity leadership at Akamai, Sonatype, and PTC. This should be of high interest, given that the global COVID response supply chain has endured massive attacks and sabotage.

Josh Corman

Then Shannon Lietz, Founder of the DevSecOps Foundation and VP at Adobe’s Vulnerability Labs, takes over the podium. If you don’t know Shannon, well, you are alone. She is an award-winning innovator with decades of experience pursuing advanced security defenses and next generation security solutions She also tells venture capitalists where to invest billions, helps non-profits pro bono, and ran DevSecOps at Intuit.

Shannon Lietz

Another intriguing keynote follows, on reducing risk in open source supply chains, on which modern software and life as we know it depend. Dan Lorenc of Chainguard will cover CodeCov, Solarwinds, Sigstore, In-Toto, The Update Framework and more, as he presents: Risk and Reward: The State of Open Source Supply Chain Security”

Dan Lorenc

Operating Safe, Secure & Reliable Systems with Security Chaos Engineering

Aaron Rinehart, CTO of Verica, a pioneer in security chaos engineering, will show how this emerging discipline helps organizations prepare for the unpredictable challenges of a major breach, by using continuous security experimentation to reduce the likelihood of blind spots. Bonus: 500 attendees will receive a copy of the book Aaron co-authored with Kelly Shortridge. Aaron’s LinkedIn photo illustrates chaos engineering in action. He is a veteran chief architect with leadership roles at UnitedHealthGroup, Randstadt, and Homeland Security.

Aaron Rinehart

Fuzzy Testing and Scaling Static Vulnerability Discovery

A quick half-hour talk by our own Chief Scientist, Fabian Yamaguchi, on scaling static discovery (so that scans finish in 10 minutes!) when fuzzy testing isn’t a fit, or hits its limits. Fabian promises “Many little tweaks you will not find in a research paper, and the largely ignored topic of scaling static analysis horizontally.”

Fabian Yamaguchi

Practical and Strategic Advice on Making SBOM Work for You

There’s also been a surge of interest in SBOM (Software Bill of Materials), so we’re pleased to have Steve Springett of OWASP, Chair of the CycloneDX SBOM Standard, Core Working Group and ServiceNow to focus on transparency in the software supply chain. Steve will bring real-life examples of different methods of SBOM creation and their tradeoffs.

Steve Springett

DevOps and AppSec Tracks

For the afternoon, the event bifurcates into two parallel tracks: DevOps and AppSec. You can pick and choose, and you’ll have some tough choices. In fact, unless you have self-cloning abilities, we hope you’ll bring colleagues to the Summit, so you don’t miss any of the track sessions.

The DevOps track features a star lineup:

• Shinesa Cambric, Microsoft —  on Securing Software with a Zero Trust Mindset . Always build software with an “always verify” mindset. Software supply chain attacks, and embedding Zero Trust into software engineering.

Shinesa Cambric

• Harini Rangarajan, Twilio and Yashvier Kosaraju, Sendbird  — jointly present on Security Metrics That Count . You can’t describe what you don’t measure properly, and leadership needs to hear it in a way they understand.
• Jonathan Schneider, Moderne   —  Making Your Code Fix Itself where he explains how Netflix’s OpenRewrite technology brings shift-left concepts to improve preexisting code. In the session, Jon will write code to fix a known vulnerability — across 100 million lines of open source code.

Jonathan Schneider

• Vandana Varma, Snyk —  New Way of Envisioning Security in the Dependencies . 96.8% of code on the Internet is open source, so how do we find the hidden threats in open source projects — before malicious actors exploit them?
• Mark Wireman, Accenture  — on the high-stakes convergence of security and compliance. He’s here to “educate and enable people on how to not hit guardrails” and align DevSecOps with compliance and governance.

Not to be outdone, the AppSec track kicks off with:

• Jasmine Jackson, Disney  — she’ll showhow to leverage a hugely useful byproduct of DAST and SAST that is currently going to waste: valuable findings that can drive security education, help avoid pesky vulnerabilities and mitigate at a pace that keeps up. Jasmine is an application security engineer, blogger, author, adjunct professor at Drexel, and 2020 Infosec Hall of Fame inductee.
• Abhishek Arya, Google —  on Measuring and Mitigating Risk in — you guessed it — open source software. As always, what you don’t know can wreck everything. Here’s what Google is doing about the risks of consuming software components and their transitive dependencies.
• Vickie Li and Suchakra Sharma, ShiftLeft  — will run a hands-on workshop on Analyzing Source Code for Vulnerabilities. They will first go through the basics of how to review your code for vulnerabilities and then dive deeper into how to make your code analysis more efficient.
• Rob Lundy, ShiftLeft with Malcom Harkins, Chief Security and Trust Officer at Epiphany Systems and Bryan Smith , CTO of RiskLens will address Reachability and Risk: Tools for Security Leaders on frameworks for making trade-off decisions and communicating security efforts to leaders in other departments.

Malcom Harkins

The Bug Stops Here. Mark It. January 27.

The Secure Software Summit runs from 9am — 4pm PT and our goal is to pack every minute with takeaways that will add panache to your AppSec and DevOps and help you ensure that “The Bug Stops Here”. We look forward to you and your colleagues joining us on Thursday, January 27!

Reserve your Spot

https://www.techstrongevents.com/secure-software-summit/

---