The Real World Security Track brings together stories about various successful approaches to reducing the risk of running real systems in production. Come learn what has worked to protect others while being targeted by increasingly sophisticated adversaries. Come ask questions about how to make good security tradeoffs when writing software. And do all of this with some of the top security practitioners in the industry today!
Track: Real World Security
Location: Majestic Complex, 6th fl.
Day of week:
Track Host: Bryan Payne
Leads Product & Application Security @Netflix
Dr. Bryan D. Payne has dedicated his career to the complex field of computer security. He currently leads the Product and Application Security team at Netflix where they provide the security expertise and create systems that protect Netflix’s large cloud footprint. Over the years he has worked on both offensive and defensive security projects for government, academia, and industry. As a result, Dr. Payne brings a unique perspective to modern security issues.
10:35am - 11:25am
Making Security Usable: Product Engineer Perspective
This is a story of going through typical security challenges: how to build products that reliably deliver security guarantees, avoid typical pitfalls, and are usable in a predictable fashion by real users. It's a tale of balancing religious adherence to security practices with keeping customer's needs in mind at all time inside the development team; listening to the customers and observing actual behavior outside in the wild; and trying to make the best decisions to empower customers with easy tools for encrypting data in their apps securely and without pain.
We'll take a look at the process through the eyes of one of our customers, who made all the things wrong before doing things right, and through the eyes of product engineer, responsible for learning the lessons to make security products even more usable and reliable for non-security-focused engineers.
Key takeaways:
Attendees will go through several stages of inception and implementation of database encryption/intrusion detection tools. They will see the "behind the scenes" work inside a cryptographic engineering company, will see how customers are one of the most useful people to learn from, and how getting over "we tell you what to do" mentality makes security tools better.
Anastasiia Voitova, Security Focused Product Engineer @CossackLabs & Co-Organizer CocoaHeads Ukraine
11:50am - 12:40pm
Data Security Dreams and Nightmares
We don’t often hear about successes of data security programs, yet failures in securing data are trumpeted by the media leading to commercial disbarment of anyone associated with a data breach. What lessons did I learn by observing and assisting with data breaches? It is not only how to avoid them, but also what can be done to emerge successfully from a bad situation. This is a thrilling ride with a behind-the-scenes look into many major data breach dynamics. Let’s learn from their mistakes, not your own.
Alex Holden, Founder and Chief Information Security Officer @HoldSecurity
1:40pm - 2:30pm
Defense in Depth: In Depth
Hindsight is often 20/20 for security vulnerabilities, and it is too easy to point fingers and cast blame when a security incident occurs. However, working to prevent a security compromise can feel like an unparalleled challenge, where no amount of planning can cover or foresee every point of failure that could lead to a devastating compromise.
While preventing security vulnerabilities can seem like a daunting task, practicing defense in depth is a useful place to start with. As attacks often leverage a chain of compromises, it can be nearly impossible to test for every failure case. Instead, developers, teams, and organizations can layer security techniques and practices to achieve an outcome where a single (or even multiple) vulnerabilities still limit what an attacker can ultimately achieve.
In this talk, we'll look at what defense in depth means from a variety of roles and perspectives- from developers practicing defensive coding to minimize common code vulnerabilities, to architects designing secure systems beyond just the perimeter, to building secure products for users who can't remember a 50-character password. We'll see how defense in depth can help organizations prevent unforeseen attacks and limit damage when compromises do occur.
Chelsea Komlo, Software Engineer @HashiCorp
2:55pm - 3:45pm
7 Strategies for Scaling Product Security
Product Security and Application Security Engineering teams are tasked with fixing and preventing security vulnerabilities, developing security controls, building meaningful security automation, maintaining security review processes, building security capabilities into existing products and leveraging the collective skills of the research community, whilst being the guardians of customer data.
Beyond Penetration Testing – In this presentation, we will cover seven different high-ROI strategies for resource-constrained Product Security teams that need to scale to support thousands of developers. We will dig deep into different tenets that help build and grow a high-functioning security engineering practice, including secret management, automation services, vulnerability management, reporting and operational excellence, bug bounty programs, training, engagement and product defense strategies.
Attendees will be provided with actionable technical strategies and time-tested lessons to build a comprehensive Secure SDL program and increase their organization's product security maturity in just a few months.
Angelo Prado, Senior Director, Application Security Engineering @Jet
4:10pm - 5:00pm
Engineering Secure Products at Facebook
In this talk we'll discuss how we build secure products at Facebook. Our strategy includes building safe by default frameworks, using code analysis in creative and powerful ways, building meaningful relationships with whitehat researchers, and deeply understanding risks to specialized products and features. We’ll show examples of past bugs, and introduce the challenges we face going forward. Come find out our approach to securing 2+ billion people!
Teddy Reed, Security Engineering Manager @Facebook NYC