AWS re:Invent 2022
Whats Next for Security Development and Cloudsec Teams Prt063 R

Title

AWS re:Invent 2022 - What’s next for security, development, and CloudSec teams? (PRT063-R)

Summary

  • By 2025, there will be an estimated 24 million cloud-native developers.
  • Human error is responsible for 95% of all breaches.
  • Development cycles are accelerating, with an average of four production pushes per day, reducing time for security checks.
  • Ori Bendit from Checkmarks, a product management leader, discusses the evolution from Waterfall to cloud-native development and the associated challenges.
  • Cloud-native development is growing at 20% annually, with common technologies including containers, Kubernetes, and serverless.
  • Challenges include the need for speed, shift-left security, developer autonomy, repository centrality, open-source risks, and "everything as code" including infrastructure.
  • Security needs to be integrated early in the development cycle, with developers now responsible for more aspects of the system.
  • The concept of "Legolizing" software development is introduced, emphasizing the use of various components like cloud services, CloudFormation templates, and open-source libraries.
  • There is a tension between developers' desire for simplicity and CISOs' need for risk management.
  • The future of application security involves focusing on risk management rather than fixing all vulnerabilities.
  • Security champions within development teams are becoming crucial for bridging the gap between AppSec and developers.
  • Developer experience is key, with efficiency, immediate value, and simplicity being the main concerns.
  • Production insights can improve prioritization and should be part of the DevSecOps cycle.
  • The talk concludes with a reflection on the shift from Waterfall to cloud-native and the importance of preparing for low-code development.

Insights

  • The rapid growth of cloud-native development is creating a demand for new security practices that can keep pace with the increased speed of deployment.
  • The shift-left approach is becoming more prevalent, emphasizing the need to integrate security early in the development process to prevent vulnerabilities.
  • The rise of open-source software and "everything as code" is increasing the complexity of security, requiring tools that can scan and manage risks across various code definitions.
  • The concept of "Legolizing" reflects a trend towards modular and reusable components in software development, which can introduce new security challenges.
  • The role of security champions is emerging as a solution to the disconnect between security teams and developers, highlighting the need for security-minded individuals within development teams.
  • Developer experience is increasingly recognized as important for security tool adoption, with a focus on tools that are efficient, provide immediate value, and are simple to use.
  • The importance of monitoring production environments is highlighted as a means to gain insights for better vulnerability prioritization and risk management.
  • The talk suggests a holistic approach to DevSecOps that includes continuous feedback loops from production to development, rather than a binary shift-left or shift-right mindset.
  • The mention of low-code development at the end of the talk indicates an upcoming trend that could further democratize development but also introduces new security considerations.
Whats New with Serverless Svs204When Is It Time to Modernize Your Aws Database Platform Prt046