In 2021, OWASP added A04:2021 – Insecure Design as a new category focusing on risks related to design and architectural flaws, with a call for more use of threat modeling, secure design patterns, and reference architectures.

In a cloud-native, agile environment with hundreds of services operating at scale for products, security needs to be proactive, comprehensive, context and data driven with a focus on risk reduction.
Security in such fast paced, engineering heavy organizations need a shared ownership model. In order to do so, application security truly needs to be decentralized by design .

How does a lean team of security engineers achieve this with an emphasis on trust and partnership?
In this talk, I’ll cover my learnings as a software security engineer working on security design and guidance at scale. The talk will mainly focus on:
1. The three pillars of a application security success:
- Building self-service for security design reviews
- The Cost: Value proposition of different security activities throughout the SDLC
2. Partnership with developers and product teams
- We will go over our security champions program journey and look at some success stories and roadblocks
3. Developer experience patterns and anti-patterns

I'll be sharing plenty of examples covering learnings on what works and what does not work, both from reflections on successes and failures for anyone building security at scale.

Nielet D'mello
Datadog
Software Security Engineer

Nielet D'mello is a software security engineer at Datadog where she focuses on security design and guidance. She works closely with developers, product and engineering teams to design, build and ship secure products/ services.

Her work includes research and implementation of tooling, automations and processes around threat modeling, secure design patterns and reference architectures. Lately, this involves building the security champions program that aims to do the above and decentralize security across the company.
She is an active STEM mentor and loves sharing her learnings through writing.

Managed by the OWASP® Foundation
https://owasp.org/