In recent years, penetration testing and red team assesment have become a way for enterprises to examine their product security. Although mitigating vulnerabilities is better late than never, it would be more desirable if the vulnerabilities aren't released at the first place. This agenda will illustrate the benefits of having a red team within the company. By conducting penetration tests during the development, vulnerabilities can be found and eliminated in advance. Additionally, the collaboration between the red team and developers can also increase the sensitivity of developers regarding security threats. Moreover, when designing and implementing security-related functions, the red team can also act as consultants, providing perspectives of attackers and ensuring security by design. Through all of the above, enterprises will be able to take advantage of the red team to buff the development process, making it faster and safer. Eventually, allowing the red team and blue team, which are generally considered to be on the opposite sides, to coordinate and cooperate with each other and to enhance the enterprise's security quickly, smoothly and thoroughly.

API Security plays the most important role in the present modern software microservices architecture. OWASP also introduces API Security Top 10 in 2019. In this talk, I will be talking about how API insecurity can be leveraged to gain data and how we can penetrate your API endpoints

Automation scanner is an important aspect in nowadays SDLC/SSDLC, but there's limitation when it comes to source code review scanner.

In this talk, some example will be shown to understand the pros and cons about automated scanner, and how can we identify the problems.

In this presentation, we will introduce the concept and purpose of Security Development Lifecycle (SDL), and share Synology's experience in introducing SDL and practicing DevSecOps. Demonstrating how product security assurance and penetration testing is conducted and the results, as well as the use of static and dynamic automated application security testing to further enhance software quality and security.

We will share the challenges encountered in introducing SDL and practicing DevSecOps, and how to solve them step by step. We hope the audience will have a better understanding of the importance and necessity of SDL and DevSecOps through practical experience. These actions not only contribute to the improvement of software quality and security, but also provide a more secure product for users.