You are viewing content from a past/completed QCon -

Track: Security Transformation

Location: Whittle, 3rd flr.

Day of week:

How do you actually start with a security mindset? Learn techniques for making security a first-class concern.

Track Host: Guy Podjarny

Co-founder @SnykSec, previously CTO @Akamai

Guy Podjarny (@guypod) is a cofounder at, focusing on open source and cloud security. Guy was previously CTO at Akamai following their acquisition of his startup,, and worked on the first web app firewall & security code analyzer. Guy is a frequent conference speaker, the author of "Responsive & Fast”, “High Performance Images” and the upcoming “Securing Open Source Code”.

10:35am - 11:25am

The Evolving Practice of Security

As technology has evolved from on-premise data centres to cloud native systems, the practices of managing that technology has evolved giving us benefits like continuous integration and deployment and configuration as code and cloud orchestration platforms. But security practices have generally not evolved to match, we find security practitioners are still fighting the wars of yesterday, fighting firewalls and network configurations that simply don’t exist today.


In this talk, you’ll learn what practices that are evolving in the security space, and how developers and security can collaborate more with new and modern practices.

Michael Brunton-Spall, Independent Security Consultant, previously Deputy Director for Technology and Operation, & Head of CyberSecurity of Government Digital Service

11:50am - 12:40pm

Speed The Right Way: Design and Security in Agile

“Blame the programmer” was an emerging theme in the security breaches of the last year placing coders and “their bugs” squarely in the security spotlight. But what is upstream of implementation bugs of causing these security issues? Application architecture and design. Effective application design is critical to application security. However, in many agile software groups, design and design processes are de-emphasized in favor of velocity metrics and developer productivity. The result is a perception of effectiveness that conceals a debt of security-related design flaws. By shifting security “left" (aka. earlier in the application development process) development teams are responsible for clear communication of design choices that impact security to security stakeholders, or risk costly rework.


In this talk, we will discuss the renewed focus of software design process and code complexity in software security.  We will discuss specific breaches and how design decisions have contributed to those events. We will describe how design review can be modernized to help improve application security.  And finally, we will discuss how to do design reviews right and elevate the quality of security design review conversations for technical and less-technical stakeholders.

Kevin Gilpin, Enterprise Software Engineer

2:55pm - 3:45pm

The Three Faces of DevSecOps

DevSecOps is the buzzword du jour in the world of security. Organisations increasingly understand that if you transform development and embrace DevOps, you must transform security as well. Failing to do so would either leave you insecure, or make your security controls negate the speed you aimed to achieve in the first place.   


So doing DevSecOps is good... but what does it even mean?

This talk unravels the different stages in the evolution of DevSecOps. It separates the term into securing DevOps technologies, methodologies and shared ownership, giving concrete examples of good and bad in each. In the end, you'll have the tools you need to choose your interpretation of DevSecOps, and choose the practices and tooling you need to support it.

Guy Podjarny, Co-founder @SnykSec, previously CTO @Akamai

4:10pm - 5:00pm

Securing Services Using SSO

As BuzzFeed transitioned to microservices it needed to secure a growing number of internal tools. Our first solution was an open source auth service deployed in front of each app, but this approach had a number of scaling issues. The talk will discuss sso, our open-source, homegrown, centralized solution which elegantly solved this problem.

Shraya Ramani, Software Engineer @BuzzFeed

5:25pm - 6:15pm

A Continuation of Devops: Policy as Code

Organisations large and small are embracing devops and agile practices and transforming themselves into software companies. As part of that movement many organisations have embraced infrastructure as code, the idea that rather than systems administrators managing servers, databases and cloud infrastructure manually they instead describe that in software.

Security is about controls, but many of those controls are still maintained in spreadsheets, or described in baroque documents that not everyone has access to, or with people as the gatekeeper. How can we apply the patterns that have transformed infrastructure management to improve security?


In this talk we will:

  • Look at examples of tools that move security controls into code, with a focus on ModSecurity, InSpec and Open Policy Agent
  • Explore the properties of successful infrastructure management tools, and what is missing in security tools today
  • How policy as code can work at the team level; who has responsibility for what and how does this encourage collaboration

Gareth Rushgrove, Product Manager @Docker

Preliminary tracks

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.