SlideShare a Scribd company logo

Building a Modern Security Engineering Organization. Zane Lackey

Yandex
Yandex

Technology
1 of 68
Download to read offline
Building a Modern Security Engineering Organization ! ! zane@signalsciences.com @zanelackey
Who  is  this  guy  anyway? ! • Built and led the Etsy Security Team – Spoiler alert: what this presentation is about ! • Recently co-founded Signal Sciences to productize effective AppSec approaches !
! ! This talk is a collection of lessons learned from building and adapting a security team
For security teams, the world has changed in fundamental ways: ! – Code deployment is now near- instantaneous
For security teams, the world has changed in fundamental ways: ! – Code deployment is now near- instantaneous ! – Merging of development and operations means more people with production access
For security teams, the world has changed in fundamental ways: ! – Code deployment is now near- instantaneous ! – Merging of development and operations means more people with production access ! – Cost of attack has significantly dropped
! ! Near-instantaneous deployment?
A  technical  diagram  of  traditional  waterfall  code  deployment  
! ! What is this shifting to?
! ! Etsy pushes to production 30 times a day on average
! ! Constant iteration in production via feature flags, ramp ups, A/B testing
! ! But doesn’t the rapid rate of change mean things are less secure?!
Actually,  the  opposite  is   true
! ! ! ! They key to realize is vulnerabilities occur in all development methodologies ! …But there’s no such thing as an out-of- band patch in continuous deployment !
! ! ! ! They key to realize is vulnerabilities occur in all development methodologies ! …But there’s no such thing as an out-of- band patch in continuous deployment !
Compared to: ! “We’ll rush that security fix. It will go out … in about 6 weeks.” ! - Former vendor at Etsy
! ! ! ! What makes continuous deployment safe?
Source:  http://www.slideshare.net/mikebrittain/advanced-­‐topics-­‐in-­‐continuous-­‐deployment
! ! ! ! The same culture of graphing and monitoring inherent to continuous deployment can be used for security too
! ! ! ! Surface security info for everyone, not just the security team
! ! ! ! “Don’t treat security as a binary event” - @ngalbreath
Building  a  (k-­‐)rad  culture *Mullets  sold  separately  
! ! ! ! In the shift to continuous deployment, speed increases by removing organizational blockers
! ! ! ! Trying to make security a blocker means you get routed around
! ! ! ! Instead, the focus becomes on incentivizing teams to reach out to security
Keys to incentivizing conversation: ! – Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture. ! ! ! !
Keys to incentivizing conversation: ! – Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture. ! – Make realistic tradeoffs. Don’t fall in to the trap of thinking every issue is critical. • Ex: Letting low risk issues ship with a reasonable remediation window buys you credibility for when things actually do need to be addressed immediately.
Keys to incentivizing conversation: ! – Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not. ! ! !
Keys to incentivizing conversation: ! – Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not. ! – Reward communication with security team. T-Shirts, gift cards, and high fives all work (shockingly) well.
Keys to incentivizing conversation: ! – Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. ! – Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
Keys to incentivizing conversation: ! – Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. ! – Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
Access  restrictions
! ! ! ! Startups begin with a simple access control policy: Everyone can access everything
! ! ! ! As organization grow there will be more pressure to institute access policies
! ! ! ! The key to remember is don’t take away capabilities
Methodology: ! 1. Figure out what capability is needed ! 2. Build an alternate way to perform the needed function in a safe way ! 3. Transition the organization over to the safe way ! 4. Alert on any usage of the old unsafe way
Methodology: ! 1. Figure out what capability is needed ! 2. Build an alternate way to perform the needed function in a safe way ! 3. Transition the organization over to the safe way ! 4. Alert on any usage of the old unsafe way
Methodology: ! 1. Figure out what capability is needed ! 2. Build an alternate way to perform the needed function in a safe way ! 3. Transition the organization over to the safe way ! 4. Alert on any usage of the old unsafe way
Methodology: ! 1. Figure out what capability is needed ! 2. Build an alternate way to perform the needed function in a safe way ! 3. Transition the organization over to the safe way ! 4. Alert on any usage of the old unsafe way
! ! ! ! EX: SSH access to production systems
Security policy goal: Eliminate unneeded access to production systems ! – Why do developers do it? Ex: To view error logs ! – Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) ! – Publicize the new tooling to the organization ! – After majority of transition, alert on any logins to production systems by non-sysops
Security policy goal: Eliminate unneeded access to production systems ! – Why do developers do it? Ex: To view error logs ! – Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) ! – Publicize the new tooling to the organization ! – After majority of transition, alert on any logins to production systems by non-sysops
Security policy goal: Eliminate unneeded access to production systems ! – Why do developers do it? Ex: To view error logs ! – Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) ! – Publicize the new tooling to the organization ! – After majority of transition, alert on any logins to production systems by non-sysops
Security policy goal: Eliminate unneeded access to production systems ! – Why do developers do it? Ex: To view error logs ! – Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) ! – Publicize the new tooling to the organization ! – After majority of transition, alert on any logins to production systems by non-sysops
Increasing  attacker  cost
! Specifically, some thoughts on: ! – Bug Bounties ! – Attack simulations/pentesting
Bug  Bounties
! ! ! ! Bug bounties are tremendously useful. If you’re not working towards launching one, strongly consider it.
Common concerns about launching a bounty: ! 1. Budgetary concerns. Money is almost never the main motivation for researchers, you can launch a bounty with just a hall of fame and still get great submissions. ! 1. Risk of inviting attacks. You’re already getting attacked continuously, you’re just not getting the results.
Common concerns about launching a bounty: ! 1. Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. ! 1. Risk of inviting attacks. You’re already getting attacked continuously, you’re just not getting the results.
Common concerns about launching a bounty: ! 1. Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. ! 1. Risk of inviting attacks. It’s the Internet. You’re already getting pentested continuously, you’re just not receiving the report.
The ultimate goals of a bug bounty are threefold: ! 1. Incentivize people to report issues to you in the first place ! 2. Drive up cost of vulnerability discovery and exploitation for attackers ! 3. Provide an external validation of if your security program is working (or not)
The ultimate goals of a bug bounty are threefold: ! 1. Incentivize people to report issues to you in the first place ! 2. Drive up cost of vulnerability discovery and exploitation for attackers ! 3. Provide an external validation of if your security program is working (or not)
The ultimate goals of a bug bounty are threefold: ! 1. Incentivize people to report issues to you in the first place ! 2. Drive up cost of vulnerability discovery and exploitation for attackers ! 3. Provide an external validation of where your security program is working (and where it’s not)
! ! ! ! Before you launch, record what vulnerability classes you expect to see and what you don’t. ! Compare this against the issues actually reported. !
! ! ! ! Before you launch, record what vulnerability classes you expect to see and what you don’t. ! Compare this against the issues actually reported. !
Keep metrics on: ! – Number of bugs reported and severities ! – Time to remediation of reported issues ! ! You want both of these metrics to trend down over time
Practical considerations: ! – Inform all teams before bounty launch, especially non-engineering teams • Ex: Customer Support ! – Attacks will start almost immediately ! For Etsy bug bounty launch, time from announcement to first attack: 13min
Practical considerations: ! – Inform all teams before bounty launch, especially non-engineering teams • Ex: Customer Support ! – Attacks will start almost immediately ! For Etsy bug bounty launch, time from announcement to first attack: 13min
Practical considerations: ! – Your first 2-3 weeks will be intense. Have as many people as you can dedicated to triage and response
Practical considerations: ! – Operationally review any helper systems for scaling problems beforehand • When 10-100x traffic hits helper systems your security team uses, what falls over? ! – Money almost never the overriding factor, hall of fame is ! – Researchers are generally great to interact with
Practical considerations: ! – Operationally review any helper systems for scaling problems beforehand • When 10-100x traffic hits helper systems your security team uses, what falls over? ! – Money is almost never the main motivation for bounty participants, hall of fame credit is ! – Researchers are generally great to interact with
Practical considerations: ! – Operationally review any helper systems for scaling problems beforehand. • When 10-100x traffic hits helper systems your security team uses, what falls over? ! – Money is almost never the main motivation for bounty participants, hall of fame credit is ! – Key to great researcher interaction is frequent and transparent communication
! ! ! TL;DR (The section formerly known as “Conclusions”)
• Adapt security team culture to DevOps and continuous deployment by: – Surfacing security monitoring and metrics – Incentivize discussions with the security team – When creating policy, don’t take away capabilities ! ! • Drive up attacker cost through bug bounty programs, countering phishing, and running realistic attack simulations
Thanks! ! ! ! ! ! ! ! zane@signalsciences.com @zanelackey

Recommended

Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment TypesHackerOne
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Dinis Cruz
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringAaron Rinehart
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WaySeniorStoryteller
 

Recommended

Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment TypesHackerOne
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Dinis Cruz
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringAaron Rinehart
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WaySeniorStoryteller
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Chaos Engineering, When should you release the monkeys?
Chaos Engineering, When should you release the monkeys?Chaos Engineering, When should you release the monkeys?
Chaos Engineering, When should you release the monkeys?Thoughtworks
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programsDan Vasile
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringAaron Rinehart
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringAaron Rinehart
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringAaron Rinehart
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howJoe McCray
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec Californialeifdreizler
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringAaron Rinehart
 
Brand Protection & Security of Engineering Components
Brand Protection & Security of Engineering ComponentsBrand Protection & Security of Engineering Components
Brand Protection & Security of Engineering ComponentsBilcareltd
 
Service-Oriented Security Engineering
Service-Oriented Security EngineeringService-Oriented Security Engineering
Service-Oriented Security EngineeringRichard Veryard
 

More Related Content

What's hot

5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Chaos Engineering, When should you release the monkeys?
Chaos Engineering, When should you release the monkeys?Chaos Engineering, When should you release the monkeys?
Chaos Engineering, When should you release the monkeys?Thoughtworks
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programsDan Vasile
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringAaron Rinehart
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringAaron Rinehart
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringAaron Rinehart
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howJoe McCray
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec Californialeifdreizler
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringAaron Rinehart
 

What's hot (20)

5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 
Chaos Engineering, When should you release the monkeys?
Chaos Engineering, When should you release the monkeys?Chaos Engineering, When should you release the monkeys?
Chaos Engineering, When should you release the monkeys?
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programs
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos Engineering
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you how
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking Competition
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec California
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos Engineering
 

Viewers also liked

Brand Protection & Security of Engineering Components
Brand Protection & Security of Engineering ComponentsBrand Protection & Security of Engineering Components
Brand Protection & Security of Engineering ComponentsBilcareltd
 
Service-Oriented Security Engineering
Service-Oriented Security EngineeringService-Oriented Security Engineering
Service-Oriented Security EngineeringRichard Veryard
 
Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Ian Sommerville
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013Ian Sommerville
 
CISSP Prep: Ch 4. Security Engineering (Part 1)
CISSP Prep: Ch 4. Security Engineering (Part 1)CISSP Prep: Ch 4. Security Engineering (Part 1)
CISSP Prep: Ch 4. Security Engineering (Part 1)Sam Bowne
 
Тестирование CSS-регрессий с Gemini — Сергей Татаринцев
Тестирование CSS-регрессий с Gemini — Сергей ТатаринцевТестирование CSS-регрессий с Gemini — Сергей Татаринцев
Тестирование CSS-регрессий с Gemini — Сергей ТатаринцевYandex
 
Безопасный поиск: основные тренды 2014 года. Андрей Ковалев
Безопасный поиск: основные тренды 2014 года. Андрей Ковалев Безопасный поиск: основные тренды 2014 года. Андрей Ковалев
Безопасный поиск: основные тренды 2014 года. Андрей КовалевYandex
 
Андрей Годин - Базы данных: Документоориентированная горизонтально масштабиру...
Андрей Годин - Базы данных: Документоориентированная горизонтально масштабиру...Андрей Годин - Базы данных: Документоориентированная горизонтально масштабиру...
Андрей Годин - Базы данных: Документоориентированная горизонтально масштабиру...Yandex
 
Симаков Алексей - Системы управления кластерами
Симаков Алексей - Системы управления кластерами Симаков Алексей - Системы управления кластерами
Симаков Алексей - Системы управления кластерами Yandex
 
Иван Титов — Inducing Semantic Representations from Text with Little or No Su...
Иван Титов — Inducing Semantic Representations from Text with Little or No Su...Иван Титов — Inducing Semantic Representations from Text with Little or No Su...
Иван Титов — Inducing Semantic Representations from Text with Little or No Su...Yandex
 
Building Quality Code That Lasts: A Dropbox Story. Ashley Nelson-Hornstein
Building Quality Code That Lasts: A Dropbox Story. Ashley Nelson-Hornstein Building Quality Code That Lasts: A Dropbox Story. Ashley Nelson-Hornstein
Building Quality Code That Lasts: A Dropbox Story. Ashley Nelson-HornsteinYandex
 
Как мы документируем программные интерфейсы. Алексей Миронов
Как мы документируем программные интерфейсы. Алексей МироновКак мы документируем программные интерфейсы. Алексей Миронов
Как мы документируем программные интерфейсы. Алексей МироновYandex
 
Открытие Солнечной системы, Виталий Егоров
Открытие Солнечной системы, Виталий ЕгоровОткрытие Солнечной системы, Виталий Егоров
Открытие Солнечной системы, Виталий ЕгоровYandex
 
Алексей Авдеев — Применение Backbone.js для рефакторинга фронтенда веб-прилож...
Алексей Авдеев — Применение Backbone.js для рефакторинга фронтенда веб-прилож...Алексей Авдеев — Применение Backbone.js для рефакторинга фронтенда веб-прилож...
Алексей Авдеев — Применение Backbone.js для рефакторинга фронтенда веб-прилож...Yandex
 
Асинхронная модульность в API Яндекс.Карт — Александр Зинчук
Асинхронная модульность в API Яндекс.Карт — Александр ЗинчукАсинхронная модульность в API Яндекс.Карт — Александр Зинчук
Асинхронная модульность в API Яндекс.Карт — Александр ЗинчукYandex
 
Андрей Соболевский - Вокруг Базельской задачи: Бернулли, Эйлер, Риман
Андрей Соболевский - Вокруг Базельской задачи: Бернулли, Эйлер, РиманАндрей Соболевский - Вокруг Базельской задачи: Бернулли, Эйлер, Риман
Андрей Соболевский - Вокруг Базельской задачи: Бернулли, Эйлер, РиманYandex
 
Алексей Лавренюк - Организация нагрузочного тестирования
Алексей Лавренюк - Организация нагрузочного тестирования Алексей Лавренюк - Организация нагрузочного тестирования
Алексей Лавренюк - Организация нагрузочного тестирования Yandex
 
Дмитрий Васильев - Задачи ассиметричной криптографии
Дмитрий Васильев - Задачи ассиметричной криптографииДмитрий Васильев - Задачи ассиметричной криптографии
Дмитрий Васильев - Задачи ассиметричной криптографииYandex
 

Viewers also liked (20)

Brand Protection & Security of Engineering Components
Brand Protection & Security of Engineering ComponentsBrand Protection & Security of Engineering Components
Brand Protection & Security of Engineering Components
 
Service-Oriented Security Engineering
Service-Oriented Security EngineeringService-Oriented Security Engineering
Service-Oriented Security Engineering
 
Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013
 
Ch14 resilience engineering
Ch14 resilience engineeringCh14 resilience engineering
Ch14 resilience engineering
 
Ch13 security engineering
Ch13 security engineeringCh13 security engineering
Ch13 security engineering
 
CISSP Prep: Ch 4. Security Engineering (Part 1)
CISSP Prep: Ch 4. Security Engineering (Part 1)CISSP Prep: Ch 4. Security Engineering (Part 1)
CISSP Prep: Ch 4. Security Engineering (Part 1)
 
Тестирование CSS-регрессий с Gemini — Сергей Татаринцев
Тестирование CSS-регрессий с Gemini — Сергей ТатаринцевТестирование CSS-регрессий с Gemini — Сергей Татаринцев
Тестирование CSS-регрессий с Gemini — Сергей Татаринцев
 
Безопасный поиск: основные тренды 2014 года. Андрей Ковалев
Безопасный поиск: основные тренды 2014 года. Андрей Ковалев Безопасный поиск: основные тренды 2014 года. Андрей Ковалев
Безопасный поиск: основные тренды 2014 года. Андрей Ковалев
 
Андрей Годин - Базы данных: Документоориентированная горизонтально масштабиру...
Андрей Годин - Базы данных: Документоориентированная горизонтально масштабиру...Андрей Годин - Базы данных: Документоориентированная горизонтально масштабиру...
Андрей Годин - Базы данных: Документоориентированная горизонтально масштабиру...
 
Симаков Алексей - Системы управления кластерами
Симаков Алексей - Системы управления кластерами Симаков Алексей - Системы управления кластерами
Симаков Алексей - Системы управления кластерами
 
Иван Титов — Inducing Semantic Representations from Text with Little or No Su...
Иван Титов — Inducing Semantic Representations from Text with Little or No Su...Иван Титов — Inducing Semantic Representations from Text with Little or No Su...
Иван Титов — Inducing Semantic Representations from Text with Little or No Su...
 
Building Quality Code That Lasts: A Dropbox Story. Ashley Nelson-Hornstein
Building Quality Code That Lasts: A Dropbox Story. Ashley Nelson-Hornstein Building Quality Code That Lasts: A Dropbox Story. Ashley Nelson-Hornstein
Building Quality Code That Lasts: A Dropbox Story. Ashley Nelson-Hornstein
 
Как мы документируем программные интерфейсы. Алексей Миронов
Как мы документируем программные интерфейсы. Алексей МироновКак мы документируем программные интерфейсы. Алексей Миронов
Как мы документируем программные интерфейсы. Алексей Миронов
 
Открытие Солнечной системы, Виталий Егоров
Открытие Солнечной системы, Виталий ЕгоровОткрытие Солнечной системы, Виталий Егоров
Открытие Солнечной системы, Виталий Егоров
 
Алексей Авдеев — Применение Backbone.js для рефакторинга фронтенда веб-прилож...
Алексей Авдеев — Применение Backbone.js для рефакторинга фронтенда веб-прилож...Алексей Авдеев — Применение Backbone.js для рефакторинга фронтенда веб-прилож...
Алексей Авдеев — Применение Backbone.js для рефакторинга фронтенда веб-прилож...
 
Асинхронная модульность в API Яндекс.Карт — Александр Зинчук
Асинхронная модульность в API Яндекс.Карт — Александр ЗинчукАсинхронная модульность в API Яндекс.Карт — Александр Зинчук
Асинхронная модульность в API Яндекс.Карт — Александр Зинчук
 
Андрей Соболевский - Вокруг Базельской задачи: Бернулли, Эйлер, Риман
Андрей Соболевский - Вокруг Базельской задачи: Бернулли, Эйлер, РиманАндрей Соболевский - Вокруг Базельской задачи: Бернулли, Эйлер, Риман
Андрей Соболевский - Вокруг Базельской задачи: Бернулли, Эйлер, Риман
 
Алексей Лавренюк - Организация нагрузочного тестирования
Алексей Лавренюк - Организация нагрузочного тестирования Алексей Лавренюк - Организация нагрузочного тестирования
Алексей Лавренюк - Организация нагрузочного тестирования
 
Дмитрий Васильев - Задачи ассиметричной криптографии
Дмитрий Васильев - Задачи ассиметричной криптографииДмитрий Васильев - Задачи ассиметричной криптографии
Дмитрий Васильев - Задачи ассиметричной криптографии
 

Similar to Building a Modern Security Engineering Organization. Zane Lackey

Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Fuzzing: Challenges and Reflections
Fuzzing: Challenges and ReflectionsFuzzing: Challenges and Reflections
Fuzzing: Challenges and Reflectionsmboehme
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software developmentNick Galbreath
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Yazad Khandhadia
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsSeniorStoryteller
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityVodqaBLR
 
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics MethodsSplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics MethodsSplunk
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...Izar Tarandach
 
SplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunk
 

Similar to Building a Modern Security Engineering Organization. Zane Lackey (20)

Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk Fundamentals
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Fuzzing: Challenges and Reflections
Fuzzing: Challenges and ReflectionsFuzzing: Challenges and Reflections
Fuzzing: Challenges and Reflections
 
Fixing security by fixing software development
Fixing security by fixing software developmentFixing security by fixing software development
Fixing security by fixing software development
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon Edwards
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton Chuvakin
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibility
 
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics MethodsSplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
 
SplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics Methods
 

More from Yandex

Предсказание оттока игроков из World of Tanks
Предсказание оттока игроков из World of TanksПредсказание оттока игроков из World of Tanks
Предсказание оттока игроков из World of TanksYandex
 
Как принять/организовать работу по поисковой оптимизации сайта, Сергей Царик,...
Как принять/организовать работу по поисковой оптимизации сайта, Сергей Царик,...Как принять/организовать работу по поисковой оптимизации сайта, Сергей Царик,...
Как принять/организовать работу по поисковой оптимизации сайта, Сергей Царик,...Yandex
 
Структурированные данные, Юлия Тихоход, лекция в Школе вебмастеров Яндекса
Структурированные данные, Юлия Тихоход, лекция в Школе вебмастеров ЯндексаСтруктурированные данные, Юлия Тихоход, лекция в Школе вебмастеров Яндекса
Структурированные данные, Юлия Тихоход, лекция в Школе вебмастеров ЯндексаYandex
 
Представление сайта в поиске, Сергей Лысенко, лекция в Школе вебмастеров Яндекса
Представление сайта в поиске, Сергей Лысенко, лекция в Школе вебмастеров ЯндексаПредставление сайта в поиске, Сергей Лысенко, лекция в Школе вебмастеров Яндекса
Представление сайта в поиске, Сергей Лысенко, лекция в Школе вебмастеров ЯндексаYandex
 
Плохие методы продвижения сайта, Екатерины Гладких, лекция в Школе вебмастеро...
Плохие методы продвижения сайта, Екатерины Гладких, лекция в Школе вебмастеро...Плохие методы продвижения сайта, Екатерины Гладких, лекция в Школе вебмастеро...
Плохие методы продвижения сайта, Екатерины Гладких, лекция в Школе вебмастеро...Yandex
 
Основные принципы ранжирования, Сергей Царик и Антон Роменский, лекция в Школ...
Основные принципы ранжирования, Сергей Царик и Антон Роменский, лекция в Школ...Основные принципы ранжирования, Сергей Царик и Антон Роменский, лекция в Школ...
Основные принципы ранжирования, Сергей Царик и Антон Роменский, лекция в Школ...Yandex
 
Основные принципы индексирования сайта, Александр Смирнов, лекция в Школе веб...
Основные принципы индексирования сайта, Александр Смирнов, лекция в Школе веб...Основные принципы индексирования сайта, Александр Смирнов, лекция в Школе веб...
Основные принципы индексирования сайта, Александр Смирнов, лекция в Школе веб...Yandex
 
Мобильное приложение: как и зачем, Александр Лукин, лекция в Школе вебмастеро...
Мобильное приложение: как и зачем, Александр Лукин, лекция в Школе вебмастеро...Мобильное приложение: как и зачем, Александр Лукин, лекция в Школе вебмастеро...
Мобильное приложение: как и зачем, Александр Лукин, лекция в Школе вебмастеро...Yandex
 
Сайты на мобильных устройствах, Олег Ножичкин, лекция в Школе вебмастеров Янд...
Сайты на мобильных устройствах, Олег Ножичкин, лекция в Школе вебмастеров Янд...Сайты на мобильных устройствах, Олег Ножичкин, лекция в Школе вебмастеров Янд...
Сайты на мобильных устройствах, Олег Ножичкин, лекция в Школе вебмастеров Янд...Yandex
 
Качественная аналитика сайта, Юрий Батиевский, лекция в Школе вебмастеров Янд...
Качественная аналитика сайта, Юрий Батиевский, лекция в Школе вебмастеров Янд...Качественная аналитика сайта, Юрий Батиевский, лекция в Школе вебмастеров Янд...
Качественная аналитика сайта, Юрий Батиевский, лекция в Школе вебмастеров Янд...Yandex
 
Что можно и что нужно измерять на сайте, Петр Аброськин, лекция в Школе вебма...
Что можно и что нужно измерять на сайте, Петр Аброськин, лекция в Школе вебма...Что можно и что нужно измерять на сайте, Петр Аброськин, лекция в Школе вебма...
Что можно и что нужно измерять на сайте, Петр Аброськин, лекция в Школе вебма...Yandex
 
Как правильно поставить ТЗ на создание сайта, Алексей Бородкин, лекция в Школ...
Как правильно поставить ТЗ на создание сайта, Алексей Бородкин, лекция в Школ...Как правильно поставить ТЗ на создание сайта, Алексей Бородкин, лекция в Школ...
Как правильно поставить ТЗ на создание сайта, Алексей Бородкин, лекция в Школ...Yandex
 
Как защитить свой сайт, Пётр Волков, лекция в Школе вебмастеров
Как защитить свой сайт, Пётр Волков, лекция в Школе вебмастеровКак защитить свой сайт, Пётр Волков, лекция в Школе вебмастеров
Как защитить свой сайт, Пётр Волков, лекция в Школе вебмастеровYandex
 
Как правильно составить структуру сайта, Дмитрий Сатин, лекция в Школе вебмас...
Как правильно составить структуру сайта, Дмитрий Сатин, лекция в Школе вебмас...Как правильно составить структуру сайта, Дмитрий Сатин, лекция в Школе вебмас...
Как правильно составить структуру сайта, Дмитрий Сатин, лекция в Школе вебмас...Yandex
 
Технические особенности создания сайта, Дмитрий Васильева, лекция в Школе веб...
Технические особенности создания сайта, Дмитрий Васильева, лекция в Школе веб...Технические особенности создания сайта, Дмитрий Васильева, лекция в Школе веб...
Технические особенности создания сайта, Дмитрий Васильева, лекция в Школе веб...Yandex
 
Конструкторы для отдельных элементов сайта, Елена Першина, лекция в Школе веб...
Конструкторы для отдельных элементов сайта, Елена Першина, лекция в Школе веб...Конструкторы для отдельных элементов сайта, Елена Першина, лекция в Школе веб...
Конструкторы для отдельных элементов сайта, Елена Першина, лекция в Школе веб...Yandex
 
Контент для интернет-магазинов, Катерина Ерошина, лекция в Школе вебмастеров ...
Контент для интернет-магазинов, Катерина Ерошина, лекция в Школе вебмастеров ...Контент для интернет-магазинов, Катерина Ерошина, лекция в Школе вебмастеров ...
Контент для интернет-магазинов, Катерина Ерошина, лекция в Школе вебмастеров ...Yandex
 
Как написать хороший текст для сайта, Катерина Ерошина, лекция в Школе вебмас...
Как написать хороший текст для сайта, Катерина Ерошина, лекция в Школе вебмас...Как написать хороший текст для сайта, Катерина Ерошина, лекция в Школе вебмас...
Как написать хороший текст для сайта, Катерина Ерошина, лекция в Школе вебмас...Yandex
 
Usability и дизайн - как не помешать пользователю, Алексей Иванов, лекция в Ш...
Usability и дизайн - как не помешать пользователю, Алексей Иванов, лекция в Ш...Usability и дизайн - как не помешать пользователю, Алексей Иванов, лекция в Ш...
Usability и дизайн - как не помешать пользователю, Алексей Иванов, лекция в Ш...Yandex
 
Cайт. Зачем он и каким должен быть, Алексей Иванов, лекция в Школе вебмастеро...
Cайт. Зачем он и каким должен быть, Алексей Иванов, лекция в Школе вебмастеро...Cайт. Зачем он и каким должен быть, Алексей Иванов, лекция в Школе вебмастеро...
Cайт. Зачем он и каким должен быть, Алексей Иванов, лекция в Школе вебмастеро...Yandex
 

More from Yandex (20)

Предсказание оттока игроков из World of Tanks
Предсказание оттока игроков из World of TanksПредсказание оттока игроков из World of Tanks
Предсказание оттока игроков из World of Tanks
 
Как принять/организовать работу по поисковой оптимизации сайта, Сергей Царик,...
Как принять/организовать работу по поисковой оптимизации сайта, Сергей Царик,...Как принять/организовать работу по поисковой оптимизации сайта, Сергей Царик,...
Как принять/организовать работу по поисковой оптимизации сайта, Сергей Царик,...
 
Структурированные данные, Юлия Тихоход, лекция в Школе вебмастеров Яндекса
Структурированные данные, Юлия Тихоход, лекция в Школе вебмастеров ЯндексаСтруктурированные данные, Юлия Тихоход, лекция в Школе вебмастеров Яндекса
Структурированные данные, Юлия Тихоход, лекция в Школе вебмастеров Яндекса
 
Представление сайта в поиске, Сергей Лысенко, лекция в Школе вебмастеров Яндекса
Представление сайта в поиске, Сергей Лысенко, лекция в Школе вебмастеров ЯндексаПредставление сайта в поиске, Сергей Лысенко, лекция в Школе вебмастеров Яндекса
Представление сайта в поиске, Сергей Лысенко, лекция в Школе вебмастеров Яндекса
 
Плохие методы продвижения сайта, Екатерины Гладких, лекция в Школе вебмастеро...
Плохие методы продвижения сайта, Екатерины Гладких, лекция в Школе вебмастеро...Плохие методы продвижения сайта, Екатерины Гладких, лекция в Школе вебмастеро...
Плохие методы продвижения сайта, Екатерины Гладких, лекция в Школе вебмастеро...
 
Основные принципы ранжирования, Сергей Царик и Антон Роменский, лекция в Школ...
Основные принципы ранжирования, Сергей Царик и Антон Роменский, лекция в Школ...Основные принципы ранжирования, Сергей Царик и Антон Роменский, лекция в Школ...
Основные принципы ранжирования, Сергей Царик и Антон Роменский, лекция в Школ...
 
Основные принципы индексирования сайта, Александр Смирнов, лекция в Школе веб...
Основные принципы индексирования сайта, Александр Смирнов, лекция в Школе веб...Основные принципы индексирования сайта, Александр Смирнов, лекция в Школе веб...
Основные принципы индексирования сайта, Александр Смирнов, лекция в Школе веб...
 
Мобильное приложение: как и зачем, Александр Лукин, лекция в Школе вебмастеро...
Мобильное приложение: как и зачем, Александр Лукин, лекция в Школе вебмастеро...Мобильное приложение: как и зачем, Александр Лукин, лекция в Школе вебмастеро...
Мобильное приложение: как и зачем, Александр Лукин, лекция в Школе вебмастеро...
 
Сайты на мобильных устройствах, Олег Ножичкин, лекция в Школе вебмастеров Янд...
Сайты на мобильных устройствах, Олег Ножичкин, лекция в Школе вебмастеров Янд...Сайты на мобильных устройствах, Олег Ножичкин, лекция в Школе вебмастеров Янд...
Сайты на мобильных устройствах, Олег Ножичкин, лекция в Школе вебмастеров Янд...
 
Качественная аналитика сайта, Юрий Батиевский, лекция в Школе вебмастеров Янд...
Качественная аналитика сайта, Юрий Батиевский, лекция в Школе вебмастеров Янд...Качественная аналитика сайта, Юрий Батиевский, лекция в Школе вебмастеров Янд...
Качественная аналитика сайта, Юрий Батиевский, лекция в Школе вебмастеров Янд...
 
Что можно и что нужно измерять на сайте, Петр Аброськин, лекция в Школе вебма...
Что можно и что нужно измерять на сайте, Петр Аброськин, лекция в Школе вебма...Что можно и что нужно измерять на сайте, Петр Аброськин, лекция в Школе вебма...
Что можно и что нужно измерять на сайте, Петр Аброськин, лекция в Школе вебма...
 
Как правильно поставить ТЗ на создание сайта, Алексей Бородкин, лекция в Школ...
Как правильно поставить ТЗ на создание сайта, Алексей Бородкин, лекция в Школ...Как правильно поставить ТЗ на создание сайта, Алексей Бородкин, лекция в Школ...
Как правильно поставить ТЗ на создание сайта, Алексей Бородкин, лекция в Школ...
 
Как защитить свой сайт, Пётр Волков, лекция в Школе вебмастеров
Как защитить свой сайт, Пётр Волков, лекция в Школе вебмастеровКак защитить свой сайт, Пётр Волков, лекция в Школе вебмастеров
Как защитить свой сайт, Пётр Волков, лекция в Школе вебмастеров
 
Как правильно составить структуру сайта, Дмитрий Сатин, лекция в Школе вебмас...
Как правильно составить структуру сайта, Дмитрий Сатин, лекция в Школе вебмас...Как правильно составить структуру сайта, Дмитрий Сатин, лекция в Школе вебмас...
Как правильно составить структуру сайта, Дмитрий Сатин, лекция в Школе вебмас...
 
Технические особенности создания сайта, Дмитрий Васильева, лекция в Школе веб...
Технические особенности создания сайта, Дмитрий Васильева, лекция в Школе веб...Технические особенности создания сайта, Дмитрий Васильева, лекция в Школе веб...
Технические особенности создания сайта, Дмитрий Васильева, лекция в Школе веб...
 
Конструкторы для отдельных элементов сайта, Елена Першина, лекция в Школе веб...
Конструкторы для отдельных элементов сайта, Елена Першина, лекция в Школе веб...Конструкторы для отдельных элементов сайта, Елена Першина, лекция в Школе веб...
Конструкторы для отдельных элементов сайта, Елена Першина, лекция в Школе веб...
 
Контент для интернет-магазинов, Катерина Ерошина, лекция в Школе вебмастеров ...
Контент для интернет-магазинов, Катерина Ерошина, лекция в Школе вебмастеров ...Контент для интернет-магазинов, Катерина Ерошина, лекция в Школе вебмастеров ...
Контент для интернет-магазинов, Катерина Ерошина, лекция в Школе вебмастеров ...
 
Как написать хороший текст для сайта, Катерина Ерошина, лекция в Школе вебмас...
Как написать хороший текст для сайта, Катерина Ерошина, лекция в Школе вебмас...Как написать хороший текст для сайта, Катерина Ерошина, лекция в Школе вебмас...
Как написать хороший текст для сайта, Катерина Ерошина, лекция в Школе вебмас...
 
Usability и дизайн - как не помешать пользователю, Алексей Иванов, лекция в Ш...
Usability и дизайн - как не помешать пользователю, Алексей Иванов, лекция в Ш...Usability и дизайн - как не помешать пользователю, Алексей Иванов, лекция в Ш...
Usability и дизайн - как не помешать пользователю, Алексей Иванов, лекция в Ш...
 
Cайт. Зачем он и каким должен быть, Алексей Иванов, лекция в Школе вебмастеро...
Cайт. Зачем он и каким должен быть, Алексей Иванов, лекция в Школе вебмастеро...Cайт. Зачем он и каким должен быть, Алексей Иванов, лекция в Школе вебмастеро...
Cайт. Зачем он и каким должен быть, Алексей Иванов, лекция в Школе вебмастеро...
 

Recently uploaded

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Recently uploaded (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Building a Modern Security Engineering Organization. Zane Lackey

  • 1. Building a Modern Security Engineering Organization ! ! zane@signalsciences.com @zanelackey
  • 2. Who  is  this  guy  anyway? ! • Built and led the Etsy Security Team – Spoiler alert: what this presentation is about ! • Recently co-founded Signal Sciences to productize effective AppSec approaches !
  • 3. ! ! This talk is a collection of lessons learned from building and adapting a security team
  • 4. For security teams, the world has changed in fundamental ways: ! – Code deployment is now near- instantaneous
  • 5. For security teams, the world has changed in fundamental ways: ! – Code deployment is now near- instantaneous ! – Merging of development and operations means more people with production access
  • 6. For security teams, the world has changed in fundamental ways: ! – Code deployment is now near- instantaneous ! – Merging of development and operations means more people with production access ! – Cost of attack has significantly dropped
  • 8. A  technical  diagram  of  traditional  waterfall  code  deployment  
  • 9. ! ! What is this shifting to?
  • 10. ! ! Etsy pushes to production 30 times a day on average
  • 11. ! ! Constant iteration in production via feature flags, ramp ups, A/B testing
  • 12. ! ! But doesn’t the rapid rate of change mean things are less secure?!
  • 14. ! ! ! ! They key to realize is vulnerabilities occur in all development methodologies ! …But there’s no such thing as an out-of- band patch in continuous deployment !
  • 15. ! ! ! ! They key to realize is vulnerabilities occur in all development methodologies ! …But there’s no such thing as an out-of- band patch in continuous deployment !
  • 16. Compared to: ! “We’ll rush that security fix. It will go out … in about 6 weeks.” ! - Former vendor at Etsy
  • 17. ! ! ! ! What makes continuous deployment safe?
  • 18.
  • 20. ! ! ! ! The same culture of graphing and monitoring inherent to continuous deployment can be used for security too
  • 21. ! ! ! ! Surface security info for everyone, not just the security team
  • 22.
  • 23. ! ! ! ! “Don’t treat security as a binary event” - @ngalbreath
  • 24. Building  a  (k-­‐)rad  culture *Mullets  sold  separately  
  • 25. ! ! ! ! In the shift to continuous deployment, speed increases by removing organizational blockers
  • 26. ! ! ! ! Trying to make security a blocker means you get routed around
  • 27. ! ! ! ! Instead, the focus becomes on incentivizing teams to reach out to security
  • 28. Keys to incentivizing conversation: ! – Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture. ! ! ! !
  • 29. Keys to incentivizing conversation: ! – Don’t be a jerk. This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture. ! – Make realistic tradeoffs. Don’t fall in to the trap of thinking every issue is critical. • Ex: Letting low risk issues ship with a reasonable remediation window buys you credibility for when things actually do need to be addressed immediately.
  • 30. Keys to incentivizing conversation: ! – Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not. ! ! !
  • 31. Keys to incentivizing conversation: ! – Coherently explain impact. “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not. ! – Reward communication with security team. T-Shirts, gift cards, and high fives all work (shockingly) well.
  • 32. Keys to incentivizing conversation: ! – Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. ! – Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
  • 33. Keys to incentivizing conversation: ! – Take the false positive hit yourself. Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. ! – Scale via team leads. Build relationships with technical leads from other teams so they make security part of their teams culture.
  • 35. ! ! ! ! Startups begin with a simple access control policy: Everyone can access everything
  • 36. ! ! ! ! As organization grow there will be more pressure to institute access policies
  • 37. ! ! ! ! The key to remember is don’t take away capabilities
  • 38. Methodology: ! 1. Figure out what capability is needed ! 2. Build an alternate way to perform the needed function in a safe way ! 3. Transition the organization over to the safe way ! 4. Alert on any usage of the old unsafe way
  • 39. Methodology: ! 1. Figure out what capability is needed ! 2. Build an alternate way to perform the needed function in a safe way ! 3. Transition the organization over to the safe way ! 4. Alert on any usage of the old unsafe way
  • 40. Methodology: ! 1. Figure out what capability is needed ! 2. Build an alternate way to perform the needed function in a safe way ! 3. Transition the organization over to the safe way ! 4. Alert on any usage of the old unsafe way
  • 41. Methodology: ! 1. Figure out what capability is needed ! 2. Build an alternate way to perform the needed function in a safe way ! 3. Transition the organization over to the safe way ! 4. Alert on any usage of the old unsafe way
  • 42. ! ! ! ! EX: SSH access to production systems
  • 43. Security policy goal: Eliminate unneeded access to production systems ! – Why do developers do it? Ex: To view error logs ! – Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) ! – Publicize the new tooling to the organization ! – After majority of transition, alert on any logins to production systems by non-sysops
  • 44. Security policy goal: Eliminate unneeded access to production systems ! – Why do developers do it? Ex: To view error logs ! – Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) ! – Publicize the new tooling to the organization ! – After majority of transition, alert on any logins to production systems by non-sysops
  • 45. Security policy goal: Eliminate unneeded access to production systems ! – Why do developers do it? Ex: To view error logs ! – Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) ! – Publicize the new tooling to the organization ! – After majority of transition, alert on any logins to production systems by non-sysops
  • 46. Security policy goal: Eliminate unneeded access to production systems ! – Why do developers do it? Ex: To view error logs ! – Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) ! – Publicize the new tooling to the organization ! – After majority of transition, alert on any logins to production systems by non-sysops
  • 48. ! Specifically, some thoughts on: ! – Bug Bounties ! – Attack simulations/pentesting
  • 50. ! ! ! ! Bug bounties are tremendously useful. If you’re not working towards launching one, strongly consider it.
  • 51. Common concerns about launching a bounty: ! 1. Budgetary concerns. Money is almost never the main motivation for researchers, you can launch a bounty with just a hall of fame and still get great submissions. ! 1. Risk of inviting attacks. You’re already getting attacked continuously, you’re just not getting the results.
  • 52. Common concerns about launching a bounty: ! 1. Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. ! 1. Risk of inviting attacks. You’re already getting attacked continuously, you’re just not getting the results.
  • 53. Common concerns about launching a bounty: ! 1. Budgetary concerns. Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. ! 1. Risk of inviting attacks. It’s the Internet. You’re already getting pentested continuously, you’re just not receiving the report.
  • 54. The ultimate goals of a bug bounty are threefold: ! 1. Incentivize people to report issues to you in the first place ! 2. Drive up cost of vulnerability discovery and exploitation for attackers ! 3. Provide an external validation of if your security program is working (or not)
  • 55. The ultimate goals of a bug bounty are threefold: ! 1. Incentivize people to report issues to you in the first place ! 2. Drive up cost of vulnerability discovery and exploitation for attackers ! 3. Provide an external validation of if your security program is working (or not)
  • 56. The ultimate goals of a bug bounty are threefold: ! 1. Incentivize people to report issues to you in the first place ! 2. Drive up cost of vulnerability discovery and exploitation for attackers ! 3. Provide an external validation of where your security program is working (and where it’s not)
  • 57. ! ! ! ! Before you launch, record what vulnerability classes you expect to see and what you don’t. ! Compare this against the issues actually reported. !
  • 58. ! ! ! ! Before you launch, record what vulnerability classes you expect to see and what you don’t. ! Compare this against the issues actually reported. !
  • 59. Keep metrics on: ! – Number of bugs reported and severities ! – Time to remediation of reported issues ! ! You want both of these metrics to trend down over time
  • 60. Practical considerations: ! – Inform all teams before bounty launch, especially non-engineering teams • Ex: Customer Support ! – Attacks will start almost immediately ! For Etsy bug bounty launch, time from announcement to first attack: 13min
  • 61. Practical considerations: ! – Inform all teams before bounty launch, especially non-engineering teams • Ex: Customer Support ! – Attacks will start almost immediately ! For Etsy bug bounty launch, time from announcement to first attack: 13min
  • 62. Practical considerations: ! – Your first 2-3 weeks will be intense. Have as many people as you can dedicated to triage and response
  • 63. Practical considerations: ! – Operationally review any helper systems for scaling problems beforehand • When 10-100x traffic hits helper systems your security team uses, what falls over? ! – Money almost never the overriding factor, hall of fame is ! – Researchers are generally great to interact with
  • 64. Practical considerations: ! – Operationally review any helper systems for scaling problems beforehand • When 10-100x traffic hits helper systems your security team uses, what falls over? ! – Money is almost never the main motivation for bounty participants, hall of fame credit is ! – Researchers are generally great to interact with
  • 65. Practical considerations: ! – Operationally review any helper systems for scaling problems beforehand. • When 10-100x traffic hits helper systems your security team uses, what falls over? ! – Money is almost never the main motivation for bounty participants, hall of fame credit is ! – Key to great researcher interaction is frequent and transparent communication
  • 66. ! ! ! TL;DR (The section formerly known as “Conclusions”)
  • 67. • Adapt security team culture to DevOps and continuous deployment by: – Surfacing security monitoring and metrics – Incentivize discussions with the security team – When creating policy, don’t take away capabilities ! ! • Drive up attacker cost through bug bounty programs, countering phishing, and running realistic attack simulations