Very good insight and useful presentation.

I know this is from 2018 and there's been considerable public enlightenment since this talk, but I wanted to call one thing out specifically: 17:15 One of the suggestions here, about immutable/disposable environments being more resilient to attacks is somewhat true, but only for a certain class of attacks. If you're building VM images or containers for every deploy, that's a great first start, but you also need to be mindful of what you're building your system on top of. Contrasted against a set of static systems that are regularly maintained, it's arguably more dangerous to bake AMIs based on 2 year old unpatched base debian/rhel installs, or build a containers on top of a chain of aging / potentially vulnerable containers. If you're a fairly homogeneous environment and you standardize on a single version of an interpreter (like many Java or Ruby shops might), you might be neglecting your base images because your runtime hasn't been updated. It's important to assess not just your application, but _all_ of the assets consumed in your build pipeline.

He is not a security expert as he mentioned and should refrain from speaking on the topic. I found quite many statements that he made are not true.