Training: 8–9 November 2016
Tutorials & Conference: 9–11 November 2016
Amsterdam, NL

Practical tips for web application security in the age of Agile and DevOps

Zane Lackey (Signal Sciences)
16:45–17:25 Friday, 11 November, 2016
Tech, tools, and processes
Location: G103 Level: Intermediate
Average rating: ****.
(4.00, 1 rating)

Prerequisite knowledge

  • General knowledge of security, development, and DevOps practices

What you'll learn

  • Learn practical tips for how to approach application security in a way that enables rather than hinders the shift to Agile, DevOps, and CI/CD


The SDLC has been the standard model for web application security over the last decade and beyond, focusing heavily on gatekeeping controls like static analysis and dynamic scanning. However, the SDLC was originally designed in a world of waterfall development, and its heavyweight controls often cause more problems than they solve in today’s world of Agile, DevOps, and CI/CD.

Zane Lackey shares practical lessons learned on the most effective application security techniques in the increasingly rapid world of application creation and delivery, exploring how to adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices, obtain visibility to enable, rather than hinder, development as well as DevOps teams’ ability to iterate quickly, and measure the maturity of your organization’s security efforts in a nontheoretical way.

Photo of Zane Lackey

Zane Lackey

Signal Sciences

Zane Lackey is the cofounder and CSO at Signal Sciences and serves on the advisory boards of the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund. Prior to Signal Sciences, Zane was the director of security engineering at Etsy and a senior security consultant at iSEC Partners. He has been featured in notable media outlets such as the BBC, Associated Press, Forbes, Wired, CNET, Network World, and SC Magazine. A frequent speaker at top industry conferences, Zane has presented at BlackHat, RSA, USENIX, Velocity, Microsoft BlueHat, SANS, OWASP, and QCon and has given invited lectures at Facebook, Goldman Sachs, New York University, and Reykjavík University. Zane is a contributing author of Mobile Application Security (McGraw-Hill), a coauthor of Hacking Exposed: Web 2.0 (McGraw-Hill), and a contributing author/technical editor of Hacking VoIP (No Starch Press). He holds a bachelor of arts in economics with a minor in computer science from the University of California, Davis.