QCon New York June 15-19, 2020 | | 7 Strategies for Scaling Product Security

This presentation is now available to view on InfoQ.com

Abstract

Product Security and Application Security Engineering teams are tasked with fixing and preventing security vulnerabilities, developing security controls, building meaningful security automation, maintaining security review processes, building security capabilities into existing products and leveraging the collective skills of the research community, whilst being the guardians of customer data.

Beyond Penetration Testing – In this presentation, we will cover seven different high-ROI strategies for resource-constrained Product Security teams that need to scale to support thousands of developers. We will dig deep into different tenets that help build and grow a high-functioning security engineering practice, including secret management, automation services, vulnerability management, reporting and operational excellence, bug bounty programs, training, engagement and product defense strategies.

Attendees will be provided with actionable technical strategies and time-tested lessons to build a comprehensive Secure SDL program and increase their organization's product security maturity in just a few months.

Speaker: Angelo Prado

Senior Director, Application Security Engineering @Jet

Angelo Prado is the Senior Director of Application Security at Jet.com / Walmart. Prior to his current role he was a Director of Product Security at Salesforce, led a Security Engineering team and managed one of the largest Bug Bounty Programs in the industry. Mr. Prado has also worked as a Software Engineer at Microsoft and Motorola, delivering key contributions to their security product lines.

Mr. Prado is one of the authors of BREACH, a security exploit against SSL which leverages a compression side channel to derive secrets from the cipher-text in an HTTPS stream. As a thought leader of the security community, Mr. Prado frequently speaks at major conferences worldwide, including Black Hat USA (2017, 2014, 2013), Black Hat Asia (2015), ToorCon (2013, 2015), SecTor, Hacker Halted, TakeDownCon, SC Congress, Georgetown University and more.

Mr. Prado also serves as an strategic advisor to HackerOne and as a member of the advisory board at COMFIE, a 501(c) 3 non-profit educational organization. In his spare time, he teaches a graduate class as an associate professor at Universidad Pontificia Comillas, Madrid, eats Spanish ham and has personally discovered and contributed to over a dozen CVEs.