Hey TianPan! Sam here, security engineer on a mission to make security everyone’s responsibility.
Evolution of my role:
- 2015: Pen tester (break things)
- 2017: Security architect (design secure things)
- 2019: AppSec engineer (fix broken things)
- 2021: DevSecOps advocate (prevent broken things)
- 2024: Security automation engineer (scale all the things)
Current security stack:
- SAST: Semgrep, CodeQL
- DAST: OWASP ZAP, Burp Suite
- Dependencies: Snyk, Dependabot
- Secrets: GitGuardian, TruffleHog
- Cloud: Prowler, ScoutSuite
- Container: Trivy, Falco
Biggest wins:
- Reduced vulnerabilities by 85% with shift-left approach
- Automated security testing in CI/CD
- Zero security incidents in production (2 years running)
- Converted 100+ devs to security champions
- Built company-wide threat modeling culture
Hot takes:
- Security through obscurity never works
- Compliance != Security
- The best security tool is educated developers
- Zero trust is the only trust model
- AI will make both attacks and defenses stronger
Working on: Open-source security testing framework for GitHub Actions.
Who else is doing DevSecOps? How do you balance security with developer velocity?