---

Agenda

18:00 – Welcome with food and drinks

18:30 – First talk by Wim Provoost, Secure Code Warrior

19:30 – Second talk by Riccardo Ten Cate, Xebia

20:30 – Networking

21:00 – End

---

Location: Rabobank, Croeselaan 18, Utrecht

Go to the main entrance and follow our DevSecOps MeetUp signs.

How to reach: 5 min walk from Utrecht Central Station.

Parking:

1) P3 paid parking (https://goo.gl/maps/99qNDh29HbA2)

2) We are checking if parking at Rabobank is possible.

---

Together DevSecOps Netherlands and Rabobank have organized the second Meetup for the growing DevSecOps community in the Netherlands. The evening will consist of interesting talks by two security speakers from Belgium, Wim Provoost, and the Netherlands, Riccardo Ten Cate. We hope you enjoy the talks and wish you a great evening.

Join our Meetup group: https://www.meetup.com/DevSecOps-Netherlands/

Follow us on Twitter: @DevSecOpsNL

---

Wim Provoost

Summary: Security is a big concern in application development as breaches appear in the media on a regular basis. Up to 90 percent of security issues are caused by problems or oversight in the code (U.S. Department of Homeland Security, “Infosheet Software Assurance”, https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf).

While the goal of DevSecOps is nobel, introducing security earlier in the life cycle of application development and thus, minimizing vulnerabilities, reality is different. Many security and compliance monitoring tools have not kept up with this pace of change, as they simply were not built to test code at the speed that DevOps requires. If DevSecOps wants to be successful, drastic changes will be required in how companies as a whole address security. Simply shifting the responsibility for security from the Application Security team towards the DevOps team, without further actions, will lead to even more vulnerabilities.

In this talk, we will outline the pitfalls of moving from DevOps to DevSecOps and how software security can be brought into a software engineers’ life, so it can effectively improve the security of their applications with minimal impact on their daily tasks.

Bio: Wim Provoost is a seasoned Product Manager with more than 15 years of experience in the IT industry. He has successfully brought many technology products from idea to market and is now spearheading Sensei, Secure Code Warrior’s real-time security coaching, knowledge sharing and auto-correction solution.

Wim holds a master’s degree in computer science engineering and a master’s degree in economics.

Twitter: @Wimpers_be

LinkedIn: https://www.linkedin.com/in/wimpers/

---

Riccardo Ten Cate

Summary: Making the web secure, by design! During my work as a penetration tester, I found that there are a lot of vulnerabilities being introduced in applications that could have been prevented in an earlier stage of development. We can see the latest trend in integrating security tooling into CI/CD pipelines. However, security tooling integrated in your security pipelines will not cover the whole attack surface. This is because the tooling can never understand the full context of the applications’ functions and logic.

On the other hand, resources in the form of manual verification can often be scarce and expensive.

Where do we find the right balance between security test automation and manual verification?

Even more importantly, how do we train the developers to understand the metrics and make security part of their process and culture?

This could be achieved by setting up an (S)SDLC, but what does a good (S)SDLC consists of?

This talk will guide everybody willing to take the maturity of their security in software development to a higher level.

Bio: As a penetration tester from the Netherlands, Riccardo specializes in web-application security and has extensive knowledge in securing web applications in multiple coding languages. Riccardo also has expertise on implementing security test automation in CI/CD pipelines and is the project leader of the OWASP security knowledge framework.

Twitter: @RiieCco

LinkedIn: https://www.linkedin.com/in/riccardo-ten-cate-a0b79780/

---

Keywords:

-Secure Coding

-DevSecOps

-CI/CD pipelines

-(S)SDLC

-Application Security