Keynote: Developers as a Malware Distribution Vehicle
What You’ll Learn
-
Understand where to draw the line between developer empowerment and keeping systems (and data) safe.
-
Learn concrete examples how the tech world giants balance this risk.
-
Gain a deeper appreciation of what can go wrong if this risk is not considered.
Abstract
A malicious XCode injected malware into thousands of apps, stealing data of millions of users. Tokens committed to a GitHub repo exposed millions of Uber drivers and passengers. A phished developer gave the Syrian Electronic Army access to the Financial Times’ site.
What do all of these have in common? They were caused by developers. Well-intentioned, smart and experienced developers. They had nothing to do with writing insecure code, and everything to do with the incredible access we’re entrusted with, ranging from code that reaches millions to direct access to these users’ data.
In the name of DevOps, we’ve made developers incredibly powerful – but when does such access become unacceptable risk? Are there architectures and processes that let us move fast without exposing the keys to the kingdom? Can our culture be trusting and agile yet have a healthy appreciation of risk?
Besides building a sober appreciation of this risk, this talk will help equip us to handle it. We’ll learn risk management from role models inside and outside of tech, understand cognitive biases, and build the case that good security constraints can actually help us move faster. Lastly, we’ll share a vision of where we may be headed, and how we can protect ourselves – and our users.
Interview
What is the talk about any why is it so important to you?
This talk is about the security implications of the great power that developers have today. With a click of a button, developers can deploy code. The reach of that code is ever growing. This is an amazing way to deliver rich features and allows a truly rapid pace of development, but they’re also scary… scary as hell. Balancing this empowerment with safety is not obvious.
This talk shows through storytelling and examples what can happen when this balance goes wrong. It offers examples, role models, and guidelines on how to think about addressing balancing a rapid pace of deployment with safety concerns.
Without too many details, what are some of the stories you plan to cover?
We’ll talk about viruses that spread by compromising developers. We’ll talk a little bit about how that happens and what it means when it happens. Part of that discussion will be what to look for to even know if it has happened. Similarly, we’ll talk about incidents where privileged developer access to production data led to some issues. The goal is to learn from some of these stories.
In addition, we’ll look at some of the software giants. These are the companies that are known for their strong security and developer empowerment and see what we can learn. We’ll answer things like how do the biggest and most well-known tech companies address this risk. Companies we’ll look to include Microsoft, Google, and Netflix. We’ll see what practices we can learn from them.
This is not a problem that has a silver bullet. Everything is a tradeoff. The goal of this talk is to arm you with the right questions and offer the right examples to understand where you want to draw the line between developer empowerment and safety.
What trend in the next 12 months would you recommend an early adopter/early majority SWE to pay particular attention to?
The growth in adoption of DevSecOps practices. As DevOps helps us accelerate our business, it’s increasingly clear that security is either the bottleneck or is left behind, neither is a good option. The imperfect “DevSecOps” buzzword embodies security practices that we can integrate into the software development process without slowing it down.
Tracks
-
Microservices: Patterns & Practices
Evolving, observing, persisting, and building modern microservices
-
Developer Experience: Level up Your Engineering Effectiveness
Improving the end to end developer experience - design, dev, test, deploy, operate/understand. Tools, techniques, and trends.
-
Modern Java Reloaded
Modern, Modular, fast, and effective Java. Pushing the boundaries of JDK 9 and beyond.
-
Modern User Interfaces: Screens and Beyond
Zero UI, voice, mobile: Interfaces pushing the boundary of what we consider to be the interface
-
Practical Machine Learning
Applied machine learning lessons for SWEs, including tech around TensorFlow, TPUs, Keras, Caffe, & more
-
Ethics in Computing
Inclusive technology, Ethics and politics of technology. Considering bias. Societal relationship with tech. Also the privacy problems we have today (e.g., GDPR, right to be forgotten)
-
Architectures You've Always Wondered About
Next-gen architectures from the most admired companies in software, such as Netflix, Google, Facebook, Twitter, Goldman Sachs
-
Modern CS in the Real World
Thoughts pushing software forward, including consensus, CRDT's, formal methods, & probalistic programming
-
Container and Orchestration Platforms in Action
Runtime containers, libraries, and services that power microservices
-
Finding the Serverless Sweetspot
Stories about the pains and gains from migrating to Serverless.
-
Chaos, Complexity, and Resilience
Lessons building resilient systems and the war stories that drove their adoption
-
Real World Security
Practical lessons building, maintaining, and deploying secure systems
-
Blockchain Enabled
Exploring Smart contracts, oracles, sidechains, and what can/cannot be done with blockchain today.
-
21st Century Languages
Lessons learned from languages like Rust, Go-lang, Swift, Kotlin, and more.
-
Empowered Teams
Safely running inclusive teams that are autonomous and self-correcting