Caligin Tsukihara @caligin@octodon.social

@alanfranz Welcome to the fediverse!

Oh, its actually a sponsored talk about a report-sharing-collaborative-tables-and-numbers-and-red-and-green-arrows tool. all make sense now. #DevSecCon

"Shift left is not enough, you need to expand and make everyone aware and on board that they need to apply security at all phases" -- wait, isn't that what shift left means? #DevSecCon

"Devs don't like having to run SASTs and having to do a lot of stuff, you need to give them just the small things that they need to really do to pass their security audit."
This sounds like encouraging the very wrong practice of security by boxticking and it's a very bad message to send out. #DevSecCon

Whoops noticed just now that I keep getting the hashtags wrong swapping #DevSecCon with #DevSecOps lol

Speaker showing a diagram with an agile sdlc lifecycle in a circle, at some point there is "feature complete? Yes another iteration / no exit" ... but projects/products never end! They either die or need maintenance and evolution. #EvolveOrDie #DevSecOps

"Shift left is relative to context, is your thinking model right-to-left? Or maybe top-to-bottom?" #DevSecCon

ohgawd please stop saying docker! he managed to say it 12 times in 4 phrases #DevSecCon

Animated diagrams from an isometric view though, slick af! I'm genuinely impressed. #DevSecCon

Every sponsored talk ever: "Hey, I'm not here to sell our product, but here's a brief commercial of our product, and here are the tech details:"
*Spends 40 minutes showing slick diagrams and repeating that it integrates with anything and everything* #DevSecCon

Wait what, is this a thing?? #Docker on #mainframes? https://containerjournal.com/2017/08/17/docker-extends-caas-reach-mainframes/ #DevSecCon

"Now problems are created at scale" #DevSecOps

"People are wonderful... attack vectors." #DevSecCon

Subresource Integrity: you can have the browser verify hashes of resources included in a page
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity #DevSecCon

TIL this is available in Chromium's devtools: https://developers.google.com/web/tools/lighthouse/ #DevSecCon

Project is in its infancy, needs contributions! #DevSecCon

TIL wildcards on IAM principals are way more dangerous than I though (means literally any principal on any account not just yours). #DevSecCon

#OWASP Cloud Security provides thread model templates as #BDD https://www.owasp.org/index.php/OWASP_Cloud_Security_Project https://github.com/owasp-cloud-security/owasp-cloud-security #DevSecCon

"If you don't have a threat model, you're gambling." #DevSecCon

"Blue team: would you spend 80% protecting the network and 20% the applications or vice versa?"
*audience raising hands"
"Who chose the 80net20app won." #DevSecOps