SlideShare a Scribd company logo

Work with Developers for Fun and Progress - AppSec California

L
leifdreizler

Leif Dreizler's presentation at AppSec California 2019

Internet
1 of 50
Download to read offline
Working with Developers for Fun and Progress
About Me ● Red Team at Redspin ● SB OWASP + AppSec California + Bay Area OWASP ● Green Team at Bugcrowd ● Blue Team at Segment
The Slides are Online, I’m Online ● https://www.slideshare.net/leifdreizler/ TODO ● @leifdreizler TODO
Influential Presentations ● Twubhubbook: Like an AppSec Program, but for Startups - Neil Matatall/Brent Johnson (GitHub) ● We Come Bearing Gifts: Enabling Product Security with Culture and Cloud - Astha Singhal/Patrick Thomas (Netflix) ● Starting an AppSec Program: An Honest Retrospective - John Melton (NetSuite) ● Pushing Left, Like a Boss - Tanya Janca (Microsoft) #1 - https://youtu.be/JEE7wXHa1kY #2 - https://youtu.be/L1WaMzN4dhY #3 - https://youtu.be/ETkHISgEh3g #4 - https://youtu.be/8kqtrX6C10c
● Enable, Don’t Block - “Effective Security teams should measure themselves by what they enable, not by what they block” - Rich Smith ● Security Has to Start with Quality - “Vulnerabilities are bugs. The more bugs in your code, the more vulnerabilities”
 
 Favorite Quotes Source: https://reqtest.com/general/a-bug-goes-skateboarding-on-boehms-curve/
● Enable, Don’t Block - “Effective Security teams should measure themselves by what they enable, not by what they block” - Rich Smith ● Security Has to Start with Quality - “Vulnerabilities are bugs. The more bugs in your code, the more vulnerabilities” ● Choose People over Tools - “Learn to lean on your tools. But depend on your people to keep you out of trouble” 
 
 Favorite Quotes “Make it easy for engineers to write secure code and you’ll get secure code.”
Outline 1. Building a Team and Program 2. Training 3. Successful Vendor Implementation 4. Engineering Embed Program @leifdreizler
Organizational Buy In ● Whole company needs to care about security ● $ecurity Headcount ● Engineering time Building a Team Jonathan Marcil - Threat Modeling Toolkit (https://youtu.be/KGy_KCRUGd4)
Building a Team ● Host/speak/volunteer/sponsor meetups/conferences Building a Team
Building a Team ● Host/speak/volunteer/sponsor meetups/conferences ● OSS Contributions Coleen Coolidge - How to Build a Security Team and Program (https://youtu.be/b0r5vc_eCoU) Building a Team
Shift Left Tanya Janca, @shehackspurple Source: https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95
Training ● Part 1 - Think Like an Attacker ● Part 2 - Secure Code Review Source: Security Solutions for Hyperconnectivity and the Internet of Things
Reviews Training - Think Like an Attacker Training - Secure Code Review
Think Like an Attacker - Creating Relevant Content ● Bug bounty submissions ● Pentests ● Internal findings Training - Think Like an Attacker -
OWASP Juice Shop Source: https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Training - Think Like an Attacker
Hands-On Training Schedule 1. Vuln category 1 (Slides + Examples) 2. Vuln category 2 3. Interactive Training (Burp Suite + Juice Shop)
 
 Repeat! Source: https://www.dreamstime.com/royalty-free-stock-photography-computer-hacker-hands-image8278907 https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ Training - Think Like an Attacker
Hands-on Training Training - Think Like an Attacker
Security 1337erboard
Secure Code Review ● XSS ● Broken Access Control ● Secrets management ● Error handling ● SSRF + DNS Rebinding ● …and more! Influenced by OWASP Secure Coding Cheat Sheet Source: Your Personal Password Vault: A Password Journal and Logbook Training - Secure Code Review
Absolute AppSec #42 https://github.com/segmentio/netsec https://github.com/segmentio/netc
Leif’s Hawaiian Shirt Store I’ve paid David to build a new Hawaiian shirt store with React. Is there anything wrong with it? server.jsApp.js Training - Secure Code Review
Leif’s Hawaiian Shirt Store Training - Secure Code Review
App.js Training - Secure Code Review
server.js Training - Secure Code Review
AppSec Training ● Meet new eng hires ● Common vuln types ● “Security Judgment” ● Think about PRs in new ways ● Have fun! Training - Secure Code Review
Training - Secure Code Review Training - Think Like an Attacker
Vendor Adoption Source: https://www.itbusinessedge.com/slideshows/nine-questions-to-ask-when-selecting-a-security-vendor.html Partner with Engineering during the evaluation process
Example - Snyk ● Security eval - tested on various repos ● Partnered with App team ● Presented at Eng all hands ● Security submitted PRs to core repos ● Wrote Integration with Directory Vendor Adoption Snyk is a tool to help companies manage vulnerabilities in their dependencies.
Directory Integration Vendor Adoption
Vendor Adoption
Bug Bounty Pay for anything that gives value Source: https://www.ixxiyourworld.com/en/products/ixxi-images/boba-fett-film-poster/ https://bugcrowd.com/segment? preview=7d6237547ee4ad71a249877be1858ffe
Source: https://articles.microservices.com/an-alternative-way-of-visualizing-microservice-architecture-837cbee575c1 Bug Report → Jira ● Description ● Easy to follow repro steps ● Severity ● Remediation Criteria ● Suggested Remediation
Security ➡ Engineering Embed Program ● Software design docs ● Get appropriate buy-in ● Work with Design ● Write good test cases ● Follow deployment procedures Follow the Normal Process Engineering Embed
Full Stack (Security) Engineering ● Meet developers, designers, product managers ● Deeper understanding of engineer process ● Learn more about the code base you’re protecting ● Diversify your skillset Walk a mile in the developer’s code Engineering Embed
Engineering Embed
Password Strength Meter 0 1 2 3 4 5 Analytics PM Full-stack Design Marketing Copy Engineering Embed
Password Strength Meter Engineering Embed
Engineering Embed
Security ➡ Engineering Embed Program ● Great way to meet people ● Shows you can build useful features/tools ● Sec learns eng process/tooling/constraints ● Bring back knowledge to the security team Engineering Embed
Security ➡ Engineering Embed Program ● Great way to meet people ● Shows you can build useful features/tools ● Sec learns eng process/tooling/constraints ● Bring back knowledge to the security team Engineering Embed
Developer Friendly SAST #33 Salus https://youtu.be/TGBTrshyE9Y
In Case of Emergency ● Compliance requirements (GDPR, ISO27001, etc.) ● Recent Pentests (shown to customers) ● Customer security questionnaires ● My peers at companies x, y, an z do thing
Key Takeaways • Get Involved! • Build Your Dream Team
Key Takeaways • Get Involved! • Build Your Dream Team @leifdreizler • Vulnerabilities are Just Bugs • Security is Everyone’s Job • “Security Judgment” • Successfully Partner Cross-functionally • Reduce Operational Work • Save your No’s
Key Takeaways • Get Involved! • Build Your Dream Team (this includes developers!) @leifdreizler • Vulnerabilities are Just Bugs • Security is Everyone’s Job • “Security Judgment” • Successfully Partner Cross-functionally • Reduce Operational Work • Save your No’s
Closing Thoughts
TODO @leifdreizler

Recommended

DevOps - Understanding Core Concepts (Old)
DevOps - Understanding Core Concepts (Old)DevOps - Understanding Core Concepts (Old)
DevOps - Understanding Core Concepts (Old)Nitin Bhide
 
Effective Android Development. UA Mobile 2016.
Effective Android Development. UA Mobile 2016.Effective Android Development. UA Mobile 2016.
Effective Android Development. UA Mobile 2016.UA Mobile
 
Breaking News and Breaking Software by Andy Hume
Breaking News and Breaking Software by Andy HumeBreaking News and Breaking Software by Andy Hume
Breaking News and Breaking Software by Andy HumeSyncConf
 
DevOps Note 20120224
DevOps Note 20120224DevOps Note 20120224
DevOps Note 20120224Hirokazu MORIKAWA
 
CookpadTechConf2018-(Mobile)TestAutomation
CookpadTechConf2018-(Mobile)TestAutomationCookpadTechConf2018-(Mobile)TestAutomation
CookpadTechConf2018-(Mobile)TestAutomationKazuaki Matsuo
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Stop Testing (Only) The Functionality of Your Mobile Apps!
Stop Testing (Only) The Functionality of Your Mobile Apps!Stop Testing (Only) The Functionality of Your Mobile Apps!
Stop Testing (Only) The Functionality of Your Mobile Apps!Applitools
 

Recommended

DevOps - Understanding Core Concepts (Old)
DevOps - Understanding Core Concepts (Old)DevOps - Understanding Core Concepts (Old)
DevOps - Understanding Core Concepts (Old)Nitin Bhide
 
Effective Android Development. UA Mobile 2016.
Effective Android Development. UA Mobile 2016.Effective Android Development. UA Mobile 2016.
Effective Android Development. UA Mobile 2016.UA Mobile
 
Breaking News and Breaking Software by Andy Hume
Breaking News and Breaking Software by Andy HumeBreaking News and Breaking Software by Andy Hume
Breaking News and Breaking Software by Andy HumeSyncConf
 
DevOps Note 20120224
DevOps Note 20120224DevOps Note 20120224
DevOps Note 20120224Hirokazu MORIKAWA
 
CookpadTechConf2018-(Mobile)TestAutomation
CookpadTechConf2018-(Mobile)TestAutomationCookpadTechConf2018-(Mobile)TestAutomation
CookpadTechConf2018-(Mobile)TestAutomationKazuaki Matsuo
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Stop Testing (Only) The Functionality of Your Mobile Apps!
Stop Testing (Only) The Functionality of Your Mobile Apps!Stop Testing (Only) The Functionality of Your Mobile Apps!
Stop Testing (Only) The Functionality of Your Mobile Apps!Applitools
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 
Year Zero
Year ZeroYear Zero
Year Zeroleifdreizler
 
DroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java toolsDroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java toolsjeromevdl
 
Go ahead outside Japan
Go ahead outside JapanGo ahead outside Japan
Go ahead outside JapanKazuaki Matsuo
 
Pain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakPain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakSigma Software
 
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...Sauce Labs
 
The Road To Technical Team Lead
The Road To Technical Team LeadThe Road To Technical Team Lead
The Road To Technical Team Leadbenwaine
 
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit PrasadApplitools
 
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Applitools
 
FAKE (F# Make) & Automation
FAKE (F# Make) & AutomationFAKE (F# Make) & Automation
FAKE (F# Make) & AutomationSergey Tihon
 
4 Ways to Speed Up Your Mobile App Dev Daily Grind
4 Ways to Speed Up Your Mobile App Dev Daily Grind4 Ways to Speed Up Your Mobile App Dev Daily Grind
4 Ways to Speed Up Your Mobile App Dev Daily GrindPerfecto by Perforce
 
Bringing Quality Design Systems to Life with Storybook & Applitools
Bringing Quality Design Systems to Life with Storybook & ApplitoolsBringing Quality Design Systems to Life with Storybook & Applitools
Bringing Quality Design Systems to Life with Storybook & ApplitoolsApplitools
 
Shift left-testing
Shift left-testingShift left-testing
Shift left-testingAlan Richardson
 
Testing Pyramid
Testing PyramidTesting Pyramid
Testing PyramidRobert J Chatfield
 
How we've built Yahoo Fantasy Football (Droidcon Italy '15)
How we've built Yahoo Fantasy Football (Droidcon Italy '15)How we've built Yahoo Fantasy Football (Droidcon Italy '15)
How we've built Yahoo Fantasy Football (Droidcon Italy '15)Alex Florescu
 
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon
 
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsMyth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsApplitools
 
Jeremias Rößler
Jeremias RößlerJeremias Rößler
Jeremias RößlerCodeFest
 
DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!Sandeep Joshi
 
Rakuten and Microsoft talk DevOps in Real World
Rakuten and Microsoft talk DevOps in Real WorldRakuten and Microsoft talk DevOps in Real World
Rakuten and Microsoft talk DevOps in Real WorldTsuyoshi Ushio
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Enhancing Software Engineering Practices at Our Startup.pptx
Enhancing Software Engineering Practices at Our Startup.pptxEnhancing Software Engineering Practices at Our Startup.pptx
Enhancing Software Engineering Practices at Our Startup.pptxmuktar42
 

More Related Content

What's hot

DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 
DroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java toolsDroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java toolsjeromevdl
 
Go ahead outside Japan
Go ahead outside JapanGo ahead outside Japan
Go ahead outside JapanKazuaki Matsuo
 
Pain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakPain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakSigma Software
 
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...Sauce Labs
 
The Road To Technical Team Lead
The Road To Technical Team LeadThe Road To Technical Team Lead
The Road To Technical Team Leadbenwaine
 
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit PrasadApplitools
 
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Applitools
 
FAKE (F# Make) & Automation
FAKE (F# Make) & AutomationFAKE (F# Make) & Automation
FAKE (F# Make) & AutomationSergey Tihon
 
4 Ways to Speed Up Your Mobile App Dev Daily Grind
4 Ways to Speed Up Your Mobile App Dev Daily Grind4 Ways to Speed Up Your Mobile App Dev Daily Grind
4 Ways to Speed Up Your Mobile App Dev Daily GrindPerfecto by Perforce
 
Bringing Quality Design Systems to Life with Storybook & Applitools
Bringing Quality Design Systems to Life with Storybook & ApplitoolsBringing Quality Design Systems to Life with Storybook & Applitools
Bringing Quality Design Systems to Life with Storybook & ApplitoolsApplitools
 
How we've built Yahoo Fantasy Football (Droidcon Italy '15)
How we've built Yahoo Fantasy Football (Droidcon Italy '15)How we've built Yahoo Fantasy Football (Droidcon Italy '15)
How we've built Yahoo Fantasy Football (Droidcon Italy '15)Alex Florescu
 
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon
 
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsMyth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsApplitools
 
Jeremias Rößler
Jeremias RößlerJeremias Rößler
Jeremias RößlerCodeFest
 

What's hot (18)

DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
 
Year Zero
Year ZeroYear Zero
Year Zero
 
DroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java toolsDroidconUK 2013 : Beef up android apps with java tools
DroidconUK 2013 : Beef up android apps with java tools
 
Go ahead outside Japan
Go ahead outside JapanGo ahead outside Japan
Go ahead outside Japan
 
Pain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr SugakPain Driven Development by Alexandr Sugak
Pain Driven Development by Alexandr Sugak
 
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
Closer To the Metal - Why and How We Use XCTest and Espresso by Mario Negro P...
 
The Road To Technical Team Lead
The Road To Technical Team LeadThe Road To Technical Team Lead
The Road To Technical Team Lead
 
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
Advanced Techniques for Testing Responsive Apps and Sites -- By Aakrit Prasad
 
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
 
FAKE (F# Make) & Automation
FAKE (F# Make) & AutomationFAKE (F# Make) & Automation
FAKE (F# Make) & Automation
 
4 Ways to Speed Up Your Mobile App Dev Daily Grind
4 Ways to Speed Up Your Mobile App Dev Daily Grind4 Ways to Speed Up Your Mobile App Dev Daily Grind
4 Ways to Speed Up Your Mobile App Dev Daily Grind
 
Bringing Quality Design Systems to Life with Storybook & Applitools
Bringing Quality Design Systems to Life with Storybook & ApplitoolsBringing Quality Design Systems to Life with Storybook & Applitools
Bringing Quality Design Systems to Life with Storybook & Applitools
 
Shift left-testing
Shift left-testingShift left-testing
Shift left-testing
 
Testing Pyramid
Testing PyramidTesting Pyramid
Testing Pyramid
 
How we've built Yahoo Fantasy Football (Droidcon Italy '15)
How we've built Yahoo Fantasy Football (Droidcon Italy '15)How we've built Yahoo Fantasy Football (Droidcon Italy '15)
How we've built Yahoo Fantasy Football (Droidcon Italy '15)
 
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
 
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsMyth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
 
Jeremias Rößler
Jeremias RößlerJeremias Rößler
Jeremias Rößler
 

Similar to Work with Developers for Fun and Progress - AppSec California

DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!Sandeep Joshi
 
Rakuten and Microsoft talk DevOps in Real World
Rakuten and Microsoft talk DevOps in Real WorldRakuten and Microsoft talk DevOps in Real World
Rakuten and Microsoft talk DevOps in Real WorldTsuyoshi Ushio
 
Enhancing Software Engineering Practices at Our Startup.pptx
Enhancing Software Engineering Practices at Our Startup.pptxEnhancing Software Engineering Practices at Our Startup.pptx
Enhancing Software Engineering Practices at Our Startup.pptxmuktar42
 
Dev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrDev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrJohn Allspaw
 
Luiz Fernando Testa Contador - Aplicando DevOps em grandes corporações
Luiz Fernando Testa Contador - Aplicando DevOps em grandes corporaçõesLuiz Fernando Testa Contador - Aplicando DevOps em grandes corporações
Luiz Fernando Testa Contador - Aplicando DevOps em grandes corporaçõesAgile Trends
 
A brief history of automation in Software Engineering
A brief history of automation in Software EngineeringA brief history of automation in Software Engineering
A brief history of automation in Software EngineeringGeorg Buske
 
Functional Prototyping For Mobile Apps
Functional Prototyping For Mobile AppsFunctional Prototyping For Mobile Apps
Functional Prototyping For Mobile AppsMovel
 
QCon'17 talk: CI/CD at scale - lessons from LinkedIn and Mockito
QCon'17 talk: CI/CD at scale - lessons from LinkedIn and MockitoQCon'17 talk: CI/CD at scale - lessons from LinkedIn and Mockito
QCon'17 talk: CI/CD at scale - lessons from LinkedIn and MockitoSzczepan Faber
 
Step away from that knife!
Step away from that knife!Step away from that knife!
Step away from that knife!Michael Goetz
 
Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015Mirco Hering
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
Repertoire of contributions hacktoberfest
Repertoire of contributions hacktoberfestRepertoire of contributions hacktoberfest
Repertoire of contributions hacktoberfestDSCVSSUT
 
DevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation SlidesDevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation SlidesFab L
 
Bug Bounty Career.pdf
Bug Bounty Career.pdfBug Bounty Career.pdf
Bug Bounty Career.pdfVishal318796
 
Fun with Jenkins & Salesforce
Fun with Jenkins & SalesforceFun with Jenkins & Salesforce
Fun with Jenkins & SalesforceAbhinav Gupta
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 

Similar to Work with Developers for Fun and Progress - AppSec California (20)

DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!
 
Rakuten and Microsoft talk DevOps in Real World
Rakuten and Microsoft talk DevOps in Real WorldRakuten and Microsoft talk DevOps in Real World
Rakuten and Microsoft talk DevOps in Real World
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Enhancing Software Engineering Practices at Our Startup.pptx
Enhancing Software Engineering Practices at Our Startup.pptxEnhancing Software Engineering Practices at Our Startup.pptx
Enhancing Software Engineering Practices at Our Startup.pptx
 
Dev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrDev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and Flickr
 
Luiz Fernando Testa Contador - Aplicando DevOps em grandes corporações
Luiz Fernando Testa Contador - Aplicando DevOps em grandes corporaçõesLuiz Fernando Testa Contador - Aplicando DevOps em grandes corporações
Luiz Fernando Testa Contador - Aplicando DevOps em grandes corporações
 
A brief history of automation in Software Engineering
A brief history of automation in Software EngineeringA brief history of automation in Software Engineering
A brief history of automation in Software Engineering
 
Functional Prototyping For Mobile Apps
Functional Prototyping For Mobile AppsFunctional Prototyping For Mobile Apps
Functional Prototyping For Mobile Apps
 
QCon'17 talk: CI/CD at scale - lessons from LinkedIn and Mockito
QCon'17 talk: CI/CD at scale - lessons from LinkedIn and MockitoQCon'17 talk: CI/CD at scale - lessons from LinkedIn and Mockito
QCon'17 talk: CI/CD at scale - lessons from LinkedIn and Mockito
 
Step away from that knife!
Step away from that knife!Step away from that knife!
Step away from that knife!
 
What Is Agile Scrum
What Is Agile ScrumWhat Is Agile Scrum
What Is Agile Scrum
 
Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015Dev Ops for systems of record - Talk at Agile Australia 2015
Dev Ops for systems of record - Talk at Agile Australia 2015
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
Usable Software Design
Usable Software DesignUsable Software Design
Usable Software Design
 
Repertoire of contributions hacktoberfest
Repertoire of contributions hacktoberfestRepertoire of contributions hacktoberfest
Repertoire of contributions hacktoberfest
 
DevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation SlidesDevSecCon SG 2018 Fabian Presentation Slides
DevSecCon SG 2018 Fabian Presentation Slides
 
Bug Bounty Career.pdf
Bug Bounty Career.pdfBug Bounty Career.pdf
Bug Bounty Career.pdf
 
Fun with Jenkins & Salesforce
Fun with Jenkins & SalesforceFun with Jenkins & Salesforce
Fun with Jenkins & Salesforce
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 

Recently uploaded

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...gragchanchal546
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Sareena Khatun
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsrahman018755
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...MOHANI PANDEY
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 

Recently uploaded (20)

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 

Work with Developers for Fun and Progress - AppSec California

  • 1. Working with Developers for Fun and Progress
  • 2. About Me ● Red Team at Redspin ● SB OWASP + AppSec California + Bay Area OWASP ● Green Team at Bugcrowd ● Blue Team at Segment
  • 3. The Slides are Online, I’m Online ● https://www.slideshare.net/leifdreizler/ TODO ● @leifdreizler TODO
  • 4. Influential Presentations ● Twubhubbook: Like an AppSec Program, but for Startups - Neil Matatall/Brent Johnson (GitHub) ● We Come Bearing Gifts: Enabling Product Security with Culture and Cloud - Astha Singhal/Patrick Thomas (Netflix) ● Starting an AppSec Program: An Honest Retrospective - John Melton (NetSuite) ● Pushing Left, Like a Boss - Tanya Janca (Microsoft) #1 - https://youtu.be/JEE7wXHa1kY #2 - https://youtu.be/L1WaMzN4dhY #3 - https://youtu.be/ETkHISgEh3g #4 - https://youtu.be/8kqtrX6C10c
  • 5.
  • 6. ● Enable, Don’t Block - “Effective Security teams should measure themselves by what they enable, not by what they block” - Rich Smith ● Security Has to Start with Quality - “Vulnerabilities are bugs. The more bugs in your code, the more vulnerabilities”
 
 Favorite Quotes Source: https://reqtest.com/general/a-bug-goes-skateboarding-on-boehms-curve/
  • 7. ● Enable, Don’t Block - “Effective Security teams should measure themselves by what they enable, not by what they block” - Rich Smith ● Security Has to Start with Quality - “Vulnerabilities are bugs. The more bugs in your code, the more vulnerabilities” ● Choose People over Tools - “Learn to lean on your tools. But depend on your people to keep you out of trouble” 
 
 Favorite Quotes “Make it easy for engineers to write secure code and you’ll get secure code.”
  • 8. Outline 1. Building a Team and Program 2. Training 3. Successful Vendor Implementation 4. Engineering Embed Program @leifdreizler
  • 9. Organizational Buy In ● Whole company needs to care about security ● $ecurity Headcount ● Engineering time Building a Team Jonathan Marcil - Threat Modeling Toolkit (https://youtu.be/KGy_KCRUGd4)
  • 10. Building a Team ● Host/speak/volunteer/sponsor meetups/conferences Building a Team
  • 11. Building a Team ● Host/speak/volunteer/sponsor meetups/conferences ● OSS Contributions Coleen Coolidge - How to Build a Security Team and Program (https://youtu.be/b0r5vc_eCoU) Building a Team
  • 12. Shift Left Tanya Janca, @shehackspurple Source: https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95
  • 13. Training ● Part 1 - Think Like an Attacker ● Part 2 - Secure Code Review Source: Security Solutions for Hyperconnectivity and the Internet of Things
  • 14. Reviews Training - Think Like an Attacker Training - Secure Code Review
  • 15. Think Like an Attacker - Creating Relevant Content ● Bug bounty submissions ● Pentests ● Internal findings Training - Think Like an Attacker -
  • 16. OWASP Juice Shop Source: https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Training - Think Like an Attacker
  • 17. Hands-On Training Schedule 1. Vuln category 1 (Slides + Examples) 2. Vuln category 2 3. Interactive Training (Burp Suite + Juice Shop)
 
 Repeat! Source: https://www.dreamstime.com/royalty-free-stock-photography-computer-hacker-hands-image8278907 https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ Training - Think Like an Attacker
  • 18. Hands-on Training Training - Think Like an Attacker
  • 20.
  • 21. Secure Code Review ● XSS ● Broken Access Control ● Secrets management ● Error handling ● SSRF + DNS Rebinding ● …and more! Influenced by OWASP Secure Coding Cheat Sheet Source: Your Personal Password Vault: A Password Journal and Logbook Training - Secure Code Review
  • 23. Leif’s Hawaiian Shirt Store I’ve paid David to build a new Hawaiian shirt store with React. Is there anything wrong with it? server.jsApp.js Training - Secure Code Review
  • 24. Leif’s Hawaiian Shirt Store Training - Secure Code Review
  • 27.
  • 28. AppSec Training ● Meet new eng hires ● Common vuln types ● “Security Judgment” ● Think about PRs in new ways ● Have fun! Training - Secure Code Review
  • 29. Training - Secure Code Review Training - Think Like an Attacker
  • 31. Example - Snyk ● Security eval - tested on various repos ● Partnered with App team ● Presented at Eng all hands ● Security submitted PRs to core repos ● Wrote Integration with Directory Vendor Adoption Snyk is a tool to help companies manage vulnerabilities in their dependencies.
  • 34. Bug Bounty Pay for anything that gives value Source: https://www.ixxiyourworld.com/en/products/ixxi-images/boba-fett-film-poster/ https://bugcrowd.com/segment? preview=7d6237547ee4ad71a249877be1858ffe
  • 35. Source: https://articles.microservices.com/an-alternative-way-of-visualizing-microservice-architecture-837cbee575c1 Bug Report → Jira ● Description ● Easy to follow repro steps ● Severity ● Remediation Criteria ● Suggested Remediation
  • 36. Security ➡ Engineering Embed Program ● Software design docs ● Get appropriate buy-in ● Work with Design ● Write good test cases ● Follow deployment procedures Follow the Normal Process Engineering Embed
  • 37. Full Stack (Security) Engineering ● Meet developers, designers, product managers ● Deeper understanding of engineer process ● Learn more about the code base you’re protecting ● Diversify your skillset Walk a mile in the developer’s code Engineering Embed
  • 39. Password Strength Meter 0 1 2 3 4 5 Analytics PM Full-stack Design Marketing Copy Engineering Embed
  • 42. Security ➡ Engineering Embed Program ● Great way to meet people ● Shows you can build useful features/tools ● Sec learns eng process/tooling/constraints ● Bring back knowledge to the security team Engineering Embed
  • 43. Security ➡ Engineering Embed Program ● Great way to meet people ● Shows you can build useful features/tools ● Sec learns eng process/tooling/constraints ● Bring back knowledge to the security team Engineering Embed
  • 45. In Case of Emergency ● Compliance requirements (GDPR, ISO27001, etc.) ● Recent Pentests (shown to customers) ● Customer security questionnaires ● My peers at companies x, y, an z do thing
  • 46. Key Takeaways • Get Involved! • Build Your Dream Team
  • 47. Key Takeaways • Get Involved! • Build Your Dream Team @leifdreizler • Vulnerabilities are Just Bugs • Security is Everyone’s Job • “Security Judgment” • Successfully Partner Cross-functionally • Reduce Operational Work • Save your No’s
  • 48. Key Takeaways • Get Involved! • Build Your Dream Team (this includes developers!) @leifdreizler • Vulnerabilities are Just Bugs • Security is Everyone’s Job • “Security Judgment” • Successfully Partner Cross-functionally • Reduce Operational Work • Save your No’s