It’s Time For Change!The 1990’s called – They want their appsec program back.

June 1980-something!

Security EngineerSecurity ConsultantSecurity ResearcherBusiness AnalystVP Marketing?!

How The World Does Business Has Fundamentally Changed…

“The modern business world is completely decentralized and mobile. In a knowledge

economy you have to go where the knowledge is.”

Tyler Shields - 2016

Work In The 1990s

Tyler’s Home Office 1999

Work Today

• Decentralized

• Mobile

• Collaborative

• Rapid

• Empowered

Signal Sciences Offices: Venice California. We’re HIRING!

“In a hyper connected world, experience doesn’t matter as much as total sum of

wisdom and the speed in which we can find an answer.”

Tyler Shields - 2016

Experience Curve

As you increase volume of production the lower the cost per unit (1960s)

• Improvements in process

• Labor efficiency

• Product redesign

• Automation improvements

Collaboration Curve

The more participants–and interactions between those participants–you add to a carefully designed and nurtured environment, the more the rate of performance improvement goes up.

• Human capital network effect

• How does this work with decentralization?!

Technology Integration Advancements

Bug Tracking

• Jira

• Bugzilla

• Pivotal Tracker

ChatOps

• Slack

• HipChat

Alerting Services

• PagerDuty

• OpsGenie

• VictorOps

• DataDog

CI/CD

• Jenkins

• Travis CI

• Puppet

• Chef

• Anisble

Vulnerability Tracking

• Rapid7

• Beyond Security

• Qualys

Logging

• Splunk

• Kibana

• QRadar

“Markets and buyers change their mind faster than ever before. Buyers are fickle.

Here today, GONE tomorrow.”

Tyler Shields - 2016

Path To 50M Users…

Question:

How quickly did these fall and what replaced them?

Pace of the climb is matching pace of the eventual fall.

Business Success Demands Speed Of Innovation…

http://techbeacon.com/10-companies-killing-it-devops

Etsy

•"Over 50 Deploys A Day"

Amazon

•"Deploys to production on average every 11.6 seconds"

Facebook

•"Minimum of bi-weekly app updates"

Adobe

•"Sees more than 60% increase in app delivery rate with DevOps Platform”

Sony Pictures Digital Media Group

•"Since adopting a continuous delivery model, DMG has cut down it’s month long delivery time to just minutes”

Fidelity

•”Implemented DevOps reducing release time from 2-3 days to 2-3 hours.”

Agility refers to distinct qualities that allow an entity to respond rapidly to changes in the internal and external environment without

losing momentum or vision.

Tyler Shields - 2016

Business

Find Product Market Fit

Fail Fast

“In”trepreneurial Innovation

Lean Business Model

Technology

Embrace Change

Push Often

Data and Visibility

Rapid Response

Technology Agility Achieved Via The Cloud…

• Everything As A Service

• Workloads Vs. Processes

• Rapid Prototyping

• Minimum Viable Product

http://www.winter-park.com/strategy/

“Safety can lead to irrelevance. Chaos is full of risk. The edge of chaos is continual adaptation. This is where relevance and growth live.”

#EDGEOFCHAOS

YET Security Remains Static…

“In security, the root of all evil lies in exactly two locations: errors in code and

errors in business processes.

There is nothing else.”

Tyler Shields - 2016

Verizon DBIR 2016: Web Application Attacks Are The #1 Source Of Data Breaches

Traditional App Security Technology Stack

Manual Assessment

• Late 1990s

DAST

• Early 2000s

WAF

• Mid 2000s

SAST

• Mid 2000s

1999

2000

1999

2001

2001

1997-2004

2002

2004

2011

2006

2003-2010

Manual Assessment

Humans are expensive

Humans are error prone

Humans are inconsistent

Humans are SLOW

Dynamic Application Security Testing

Typically “Quick and Dirty”

FN/FP Prone

Increases workload of your security analysts

Unsure of code coverage

Multi-step attacks typically undiscoverable without human interaction

Web Application Firewall

• Expensive to maintain

• Not scalable

• Resource draining

• Breaks everything!

Static Application Security Testing

Expertise Required

Developer Heavy

Long Processing Time

FP / FN Prone

Practically rocket science!

Security Technology Adoption

Amy DeMartine: The State Of Application Security: 2016 And Beyond – Forrester Research

Architecture Reviews

SAST DAST Fuzz TestingManual

Penetration Testing

2013

2016

31% 27% 26% 14% 30%

+4% +5% +4% +11% +6%

Rick Holland: Forrester Blog 2015

“Expense in Depth: The multilayered approach to ensuring minimal return on

investment.”

To Fix The Problem Security Must…

“Apply the learnings of modern successful business practices to security

programs and processes.”

Tyler Shields - 2016

Security MUST: Decentralize and Become

Mobile

ACTION: GET THE HELL OUT OF THE WAY OF BUSINESS!

Security MUST: Increase the SPEED of decisions and execution.

ACTION: FIND WAYS TO INCREASE EXECUTION SPEED

Signal Sciences Customer 2016 – Developer BullPen

Security MUST: Provide security visibility to ALL!

ACTION: NO MORE SILOS! SHARE SHARE SHARE!

Security MUST: Ease the burden of security concepts

ACTION: MAKE YOUR DATA CONSUMABLE – NOT ROCKET SCIENCE

37

Security MUST: Increase collaboration between individuals and teams. Eventually becoming a part of the culture.

ACTION: MAKE YOURSELF INVISIBILE

Security MUST: Embrace life on the edge of chaos. It’s not such a horrible place to live

after all.

Tyler Shields: 2016

It Might Feel Like This…

But really it’s just about finding the

right vantage point to view

reality.

It’s Time To Change..

• Decentralize and mobilize your security program

• Go faster, become an enabler, just say yes, get SHIT DONE!

• Break down silos. Share data with everyone. Collaboration is king.

• Demystify security data. Knowledge is power, give your entire company knowledge.

• Become invisible. Security wins when it ceases to exist.

• Embrace life at the edge of security chaos.

Thanks A Bunch!

Tyler Shields

VP Marketing Strategy Partnerships

tyler@signalsciences.com

@signalsciences

@txs

Complexity

Complex is made up of two Latin words:

com (meaning: "together")

plex (meaning: woven)

Intelligence

Intelligence:

"understanding, knowledge, power of discerning”

Innovation

- What is it

- What has it done to the world

- What has it done to security? Problem statement.

- How come we haven’t solved the problem…

- What can we do to solve the problem?

November 23, 2016 46

November 23, 2016 47

November 23, 2016 48

November 23, 2016 49

November 23, 2016 50

Example Title

Lorem ipsum dolor sit amet, aliquam class et nulla at, a integer etiam pedeleo, dolor congue.

Etiam venenatis tellus eget risus sit, leo adipiscing eleifend lacus integer ligula, a suscipit pharetra wisi, tempus purus curabitur elit erat diam. Velmauris ligula mattis donec urna a.

• Nec elit. Ipsum vulputate, elit non. Commodo sed et convallis. Leo aenean congue tortor, sed vitae ante vestibulum. Maecenas turpis dui ultrices sed vel. Rhoncus magna donec risus aliquam cursus.

Lacus lacus gravida, bibendum sit, justo egestas

November 23, 2016 51

November 23, 2016 52

Signal Sciences

NGWAFWAF RASP CDN WAF

Signals Based Attack Detection ✓ ✓ ✓ ✓

Blocking Used in Production ✓ ✓ ✓

Maintenance ✓ ✓ ✓

Ease of Installation ✓ ✓

Deployment Scalability ✓ ✓

Anomaly Data Detection ✓ ✓ ✓

Detection of Business Logic Attacks ✓ ✓

Policy and Compliance ✓ ✓ ✓ ✓

Successful Attack Detection* ✓ ✓

Language Support / Cross Platform ✓ ✓ ✓

Performance Impact ✓ ✓ ✓ ✓

November 23, 2016 53

November 23, 2016 54

Text

TextText

November 23, 2016 55

Q1 Q2 Q3 Q4

Content Content Content Content

Continuous Improvement

Increased Integration Counts

November 23, 2016 56

November 23, 2016 57

November 23, 2016 58

November 23, 2016 59

November 23, 2016 60

November 23, 2016 61

November 23, 2016 62

November 23, 2016 63