2024-09-21, 12:00–12:45 (Europe/Belgrade), Tesla
This presentation will detail the journey of developing an in-house Software Composition Analysis tool, from its inception as a challenge to its realization as a comprehensive, open-source solution. It will cover the motivations, challenges, and unique features of the tool, including dependency checks, custom dashboards, and automatic updates.
Diogo Lemos and his team took on the challenge of developing an in-house Software Composition Analysis (SCA) tool rather than opting for market solutions. This presentation will cover the journey of three application security engineers who decided to build a comprehensive, free, and open-source SCA tool. Diogo will discuss the motivations behind this project, the challenges faced, and the unique features of their tool, including custom dashboards, dependency checks, and automatic update features. The talk will also highlight the implementation of a scoring system to assess the security posture of projects.
Diogo Lemos is an Application Security Engineer with extensive experience in developing and managing security solutions. His professional journey began at Checkmarx, where he built security products, and subsequently advanced to Flutter Entertainment. At Flutter, Diogo not only implemented these products but also gained the freedom to develop and tailor them to meet specific organizational needs. His expertise includes automating security processes, optimizing scanning programs, and spearheading cloud security initiatives. Diogo is also an active contributor to various open-source security projects and has a solid record of speaking at industry conferences, including talks on SAST and SCA solutions at Flutter and other venues.
I'm an Information Security Engineer at Flutter UKI&I, where I focus on keeping our systems and applications secure. I have a background in Computer and Network Security, with a Bachelor's degree in the field, and over the years, I've gained experience across different sectors working to protect IT infrastructures.
At Flutter, my role involves identifying and mitigating security risks related to applications and systems. I work with tools like SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and SCA (Software Composition Analysis) to find vulnerabilities and ensure that our software is developed and deployed securely.
A big part of my work also involves automating security controls, which helps make our processes more efficient. I regularly use tools like Cloudflare to secure our cloud architectures and web applications, putting in place strong protection mechanisms that make a real difference in our overall security posture.
I also have a solid understanding of ElasticSearch, Kibana, and Grafana, which I use to analyze and visualize security data. This helps me and my team make more informed decisions. Plus, I use Python for automating workflows, making our security operations smoother and more effective.
Beyond my day-to-day role, I enjoy contributing to the open-source community. I've been involved with Surface-Security, where I collaborate with other security pros on projects that improve vulnerability detection and system protection.
Cybersecurity is a constantly evolving field, and I'm passionate about staying up-to-date with the latest developments. I'm always learning and finding ways to expand my knowledge and skills.