Automating vulnerability discovery is essential for any large engineering organization. You’ve set up your automated vulnerability tooling, scaled them to the entire company and now alerts are flowing to engineers. Now what? How do security teams successfully work with engineers to investigate and remediate vulnerabilities? How do you set clear expectations? How do you make this security debt work visible across the company and balance it against other priorities?
This talk will cover GitHub’s Engineering Fundamentals process which tracks technical debt across all our services. We’ll walk through how we track security debt alongside other key measures of success such as testing, performance and availability. Using outdated dependencies as a case study, we’ll talk about how we integrate security alerts into our custom tooling, generate clear metrics across the company and successfully prioritized this work.

Have you grown tired of having breached SLAs? Does it make business sense for your Security Engineers to chase down breached vulnerability tickets? Well, we didn’t think so and two years ago we decided to move beyond inflexible SLAs and permanent exceptions. The Security team decided to enable our business to “Embrace Risk Responsibly” by treating vulnerabilities like debt.

Netflix has thousands of microservices, with new ones being launched daily. The only way we can scale application security is through automation and having easily-queryable data. This talk will cover our team's engineering-first approach to application security; focusing on two tools which allow us to map the relationships between various infrastructure components, identify risks, automate security guidance and help respond to security incidents across our large and fast-moving environment.