DevSecOps: The Evolution of DevOps
Have you ever asked yourself the following questions:
What does DevSecOps means?
How is this different from DevOps?
What can we learn from the DevOps movement?

If so, please join us to listen and interact with James Betteley who will share his experience of shaping DevOps and what he foresees will happen with DevSecOps.


A good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes. Developers today face a massive onslaught of new and old attack vectors in both the code they write and the open source they use.


Secret Management Journey – In the beginning there was a file and it contained all the passwords in the plain text, but then someone stole all the passwords, so we don’t do that anymore. In this talk I will explore how secret management has evolved over the years, what is the common path to maturity, what good looks like and why “Just use HashiCorp Vault” is a good heuristic. Explore with me the perils of storing secrets in Jenkins, how ansible-vault leads to disasters and where does CyberArk Conjur sit in all of this.

Vulnerability Risk Management is certainly one of the most critical security processes in any company. Attacks on applications and systems can be divided into two categories: exploiting one or more vulnerabilities, or exploiting a human – typically by social engineering. Most sophisticated attacks use a combination of the above. To defend against the former, organisations have developed processes to detect, analyse and remediate vulnerabilities. The key question any organisation should be asking when planning DevSecOps, in the scope of vulnerability management, is whether any of their existing processes need to change and how much. The talk will explain a built about best practice process in a traditional organisation and then dissect individual areas in the view of DevSecOps. Prepare to challenge and be challenged discussing this boring yet critical subject.


Information Security departments often view containers as challenging to manage (code moves too fast for risk analysis, thousands of containers with limited visibility or control). Government organizations such as NIST have come out with guidelines for Application Container Security, while serverless technologies such as Azure Container Instances or AWS Fargate create additional challenges regarding how security risks are managed.

In this presentation we will look at these challenges and demonstrate how security controls can be continuously embedded into the application lifecycle.


The standard approach to setting up a bastion server (or jump box) has enough weaknesses already. Managing secure access to your VPC’s for hundreds of users and hundreds of servers increases these exponentially.
I found the available solutions lacking.

Here I briefly cover the issues and present a working production solution immutably deploying ssh bastion access as a stateless service on AWS, managed entirely with Terraform – no build chain, no registries, no secrets management and instantaneous access.

The result is a bastion server that isn’t there, until the moment a user calls for it and then it can be their special snowflake, just for them, briefly, until it’s gone.


Security is a key concern for application developers and operations teams, as well as security professionals. What do I need to do in the face of new threats like Meltdown and Spectre? What happens when the next big issue comes along? What should my priorities be? How do containers help? In this talk we’ll demonstrate some common attacks live, and show how you can effectively defend your container deployment against them, using a combination of best practices, configuration, and tools.


Threat Modelling can be a laborious and time-consuming exercise, which is not a happy marriage with CI and DevOps methodologies. In this talk, I shall outline my Rapid Threat Model Prototyping paradigm, which I have successfully been using both at Visa and Photobox. My method enables automation and inclusion into fast-moving development cycles and is well-suited for today’s IT environments.


Aubrey Stearn: How To Save A Burning Programme

Kaveh Goudarzi and Michael Man: Implementing SAST IRL

Chris Rutter: Micro Threat Modelling For Agile Delivery Works

Stuart Gunter: Real World Security

Alexandre Fiori: Vulnerability Management At Scale At Facebook


Hot Topic 1: Multiple releases a day, what security testing should be considered and adopted?