Track: Real World Security

10:35am - 11:25am

Making Security Usable: Product Engineer Perspective

This is a story of going through typical security challenges: how to build products that reliably deliver security guarantees, avoid typical pitfalls, and are usable in a predictable fashion by real users. It's a tale of balancing religious adherence to security practices with keeping customer's needs in mind at all time inside the development team; listening to the customers and observing actual behavior outside in the wild; and trying to make the best decisions to empower customers with easy tools for encrypting data in their apps securely and without pain.   

We'll take a look at the process through the eyes of one of our customers, who made all the things wrong before doing things right, and through the eyes of product engineer, responsible for learning the lessons to make security products even more usable and reliable for non-security-focused engineers. 

Key takeaways: 

Attendees will go through several stages of inception and implementation of database encryption/intrusion detection tools. They will see the "behind the scenes" work inside a cryptographic engineering company, will see how customers are one of the most useful people to learn from, and how getting over "we tell you what to do" mentality makes security tools better.

11:50am - 12:40pm

Data Security Dreams and Nightmares

We don’t often hear about successes of data security programs, yet failures in securing data are trumpeted by the media leading to commercial disbarment of anyone associated with a data breach. What lessons did I learn by observing and assisting with data breaches? It is not only how to avoid them, but also what can be done to emerge successfully from a bad situation. This is a thrilling ride with a behind-the-scenes look into many major data breach dynamics. Let’s learn from their mistakes, not your own.

1:40pm - 2:30pm

Defense in Depth: In Depth

Hindsight is often 20/20 for security vulnerabilities, and it is too easy to point fingers and cast blame when a security incident occurs. However, working to prevent a security compromise can feel like an unparalleled challenge, where no amount of planning can cover or foresee every point of failure that could lead to a devastating compromise.

While preventing security vulnerabilities can seem like a daunting task, practicing defense in depth is a useful place to start with. As attacks often leverage a chain of compromises, it can be nearly impossible to test for every failure case. Instead, developers, teams, and organizations can layer security techniques and practices to achieve an outcome where a single (or even multiple) vulnerabilities still limit what an attacker can ultimately achieve.

In this talk, we'll look at what defense in depth means from a variety of roles and perspectives- from developers practicing defensive coding to minimize common code vulnerabilities, to architects designing secure systems beyond just the perimeter, to building secure products for users who can't remember a 50-character password. We'll see how defense in depth can help organizations prevent unforeseen attacks and limit damage when compromises do occur.

2:55pm - 3:45pm

7 Strategies for Scaling Product Security

Product Security and Application Security Engineering teams are tasked with fixing and preventing security vulnerabilities, developing security controls, building meaningful security automation, maintaining security review processes, building security capabilities into existing products and leveraging the collective skills of the research community, whilst being the guardians of customer data.

Beyond Penetration Testing – In this presentation, we will cover seven different high-ROI strategies for resource-constrained Product Security teams that need to scale to support thousands of developers. We will dig deep into different tenets that help build and grow a high-functioning security engineering practice, including secret management, automation services, vulnerability management, reporting and operational excellence, bug bounty programs, training, engagement and product defense strategies.

Attendees will be provided with actionable technical strategies and time-tested lessons to build a comprehensive Secure SDL program and increase their organization's product security maturity in just a few months.

4:10pm - 5:00pm

Engineering Secure Products at Facebook

In this talk we'll discuss how we build secure products at Facebook. Our strategy includes building safe by default frameworks, using code analysis in creative and powerful ways, building meaningful relationships with whitehat researchers, and deeply understanding risks to specialized products and features. We’ll show examples of past bugs, and introduce the challenges we face going forward. Come find out our approach to securing 2+ billion people!