So, the first Alfa-Bank meetup dedicated to safe development has passed. Photos and video…

So, the first Alfa-Bank meetup dedicated to safe development has passed. Photos and videos are attached to the post, but I’ll tell you about the event itself and the reports now 🤌

It all started with receiving a badge ( and traditional photos with him ), after which my colleague and I went to explore the venue. It was quite small, so after a couple of photos we moved on to the buffet table. After eating, we sat down and waited for the speakers to speak. ⏳

And now it's time for reports. As per tradition, I have given you a brief summary of each performance. 🔥

Report section:

1️⃣ We do AppSec: Alfa-Bank's experience

The first speaker was the head of the directorate for secure digital solutions, Dmitry Kuznetsov. He spoke about his experience and career path within the AppSec area. He showed how Alfa Bank came to 6 different teams (AppSec, DevSecOps, SecOps, CyberRisk, Product and Offensive), each of which deals with a separate block of security tasks. He also talked about how Alfa-Bank is working on a safety culture within the company, holding case championships and collaborating with universities. Dmitry also announced Alfa CTF, which will take place on September 13-14)

2️⃣ The customer is almost always right: ASOC-based SSDLC service model

Since the report was the second in a row, the guys from Alpha decided to please us with two speakers at once. And then the technical lead of the secure development practitioner, Alina Sagirova, and the team lead of the research and development team for secure development tools, Andrey Yatskin, came onto the stage. The guys talked about the nuances of the landscape of large companies, AppSec tasks for implementing the service, centralized management based on the AppSec platform, the process of working with vulnerabilities and key metrics. They showed how to implement SSDLC using their own example, and outlined the challenges they themselves faced

3️⃣ MLSecOps through the eyes of AppSec: what can go wrong (and will go wrong)

And here we have the main expert on secure development, Dmitry Bogachev, who raised important questions about the security of ML models. He talked about basic ML security practices, analyzed real incidents and popular types of attacks on machine learning

4️⃣ The highest degree of order: doing business in offensive AppSec

The final speaker was the team leader of the cyber testing team, Dmitry Tereshin. He talked about the difficulties that the guys on his team faced in achieving AppSec process maturity. Exactly how they built their testing processes and what metrics they used

Yes, I described the speeches in a very general way, but I can’t imagine how to write four 40-minute reports in one relatively a little post. If the guys post presentations ( as it was on BACON), I will share them with you

Now we have networking, beer, hookah and other not the most useful, but such pleasant pleasures 🤩

This is how the first AppSec meetup from Alfa-Bank took place. It was cool 🫶

#information_security