You are viewing content from a past/completed QCon -

SESSION + Live Q&A

Keep Calm and Secure Your CI/CD Pipeline

Watch video with transcript

Shifting left significantly reduces costs and diminishes release delays. Continuous security validation should be added at each step from development through production to help ensure the application is always secure. We can then switch the conversation with the security team from approving each release to approving the CI/CD process and having the ability to monitor and audit the process at any time.

In this session, we’ll be focusing on work done with Pride in London (a project using Gatsby2, Contentful and Netlify) and showing you how to create a secure continuous integration/continuous deployment pipeline. You’ll learn how GitHub Marketplace helped the team automating and improving our workflow with different tools for accessibility, code coverage, code review, code quality, security and other functionalities (alerting with Slack). You’ll also find out what OWASP is and how to improve the workflow for your own open source projects using GitHub Marketplace applications.

What is the work that you are doing today?

In my day job, I'm the lead security engineer at Photobox. I'm in charge of application security, cloud security and network security within my team. And for Pride in London, I'm the tech lead and the security manager. I take care of the website and the application, manage a team of fifteen developers and implement features that the other teams in the organisation are requesting. This is all volunteer based and working on an open source project.

How do you deal with stress and development when building security features?

It depends on the features. If it's a new feature, we could set up threat modelling sessions where we would sit down with the developers, the architect and the product owner, go through those new features and see what can go wrong and how we can remediate or fix any issues that are flagged during those sessions. Also we attend their developers guilds and try to give more context and tell a story behind the vulnerabilities, because we think that presenting the OWASP Top 10 most common vulnerabilities is great, but also giving more context and how it impacts different companies, by giving real life examples, make more sense for the developers because they might not be used to the security jargon.

What are the goals for your talk and what are the takeaways?

The talk will cover a quick introduction around what is cybersecurity and why is it important? I will give a couple of examples - like the one that I mentioned with the event stream package. What could be the impact of ransomware? Then I will focus on web application security. 

Speaker

Sonya Moisset

Lead Security Engineer @Photobox / Tech Lead @PrideInLondon

Sonya is a lifelong traveler who lived in the Middle-East, North Africa and Asia and is always looking for new challenges. She has made a career switch from International Business Consultant in Saudi Arabia and Singapore to Full Stack Software Engineer in South Korea to Lead Security...

Read more
Find Sonya Moisset at:

Speaker

Sonya Moisset
Sonya Moisset

Lead Security Engineer @Photobox / Tech Lead @PrideInLondon

Location

Churchill, G flr.

Track

Scaling Security, from Device to Cloud

Topics

LondonCI/CDSecurityInterview Available

Share

Share Share

From the same track

SESSION + Live Q&A Architecture

Designing Secure Architectures the Modern Way, Regardless of Stack

This talk aims to attack two typical conflicts any security architect is well familiar with: 1. Most of the design thinking for preventing security incidents and performance bottlenecks focuses on avoiding known risks in a known way. However, most of the time this approach leads to...

Eugene Pilyankevich

CTO @cossacklabs, Building Applied Cryptographic / Data Security Tooling

SESSION + Live Q&A London

Reconciling Performance and Security in High Load Environments

Most perceive security fixes and improvements as a necessary evil, because security is much “less tangible” than primary product functionality in terms of potential revenue. On top of not bringing any “meaningful” value to the overall system, security comes at a cost of...

Ignat Korchagin

Cryptographer, & Security Software Engineer @Cloudflare

SESSION + Live Q&A Interview Available

Security Vulnerabilities Decomposition

In most companies security is driven by compliance regulations. The policies are designed to contain the CWEs each company is interested to comply with. The result of this approach is a high number of insecure applications are still produced and injection is still King. Is there another way...

Katy Anton

Principal Application Security Consultant @Veracode

SESSION + Live Q&A Security

The Quantum Risk & Future Post-Quantum Standards

This talk will describe the risk of quantum computing to cryptography, in a way suitable to an audience without quantum physics nor cryptography background.  We will present the mitigations available today thanks to research in the field of post-quantum cryptography, and we'll...

Jean-Philippe Aumasson

Author of "Serious Cryptography", Designer of Hash Functions BLAKE3 and BLAKE2

View full Schedule