7 strategies for scaling
play

7 strategies for scaling product security QCon 2018 New York City - PowerPoint PPT Presentation

Feb 12, 2023 •105 likes •895 views

7 strategies for scaling product security QCon 2018 New York City Angelo Prado, Senior Director Jet.com | Walmart about me 12+ years of experience in software development and Leading Product Security teams at Jet.com, Salesforce and

  1. 7 strategies for scaling product security QCon 2018 – New York City Angelo Prado, Senior Director Jet.com | Walmart

  2. about me 12+ years of experience in software development and Leading Product Security teams at Jet.com, Salesforce and Microsoft 4 times Black Hat Speaker, co-author of 10+ CVEs including the BREACH attack (SSL Side Channel) Currently leading a product security team across two continents, assistant professor in Spain at Comillas University, advising security startups and non-profits

  3. earlier career attempts…

  4. what is product security

  5. Product Security teams are the guardians of customer data , fixing and preventing security vulnerabilities. Inclusive of much more than just code. Product Security covers the full service and how your customers use and interact with it securely. It goes beyond securing the underlying software and includes operational responsibilities.

  6. why do we need Product Security?

  7. core mission prevent vulnerabilities build effective automation perform security reviews harden the product

  8. who needs product security?

  9. you do.

  10. we do.

  11. Security is reflected in how products are built and operated . Product Security should be engaged with customers and partners. Engineering teams must have a consistent interpretation of the security posture and secure development lifecycle.

  12. 7 strategies to scale Building Product Security from the ground up

  13. prioritize relationships and establish a non- blocking function

  14. SERVICE CATALOG design automation security training & vulnerability reviews services testing research management

  15. Product Security should be a lean, effective, non- blocking technical assessment function

  16. rules of engagement prioritize relationships over bugs The number of teams and individuals you interact with will keep growing – In connecting with other human beings, align priorities and exercise empathy be thoughtful about prioritization and risk Security isn’t always #1 - If you want to build a relationship with someone, you need to know their priorities. Develop a narrative that resonates with them be pragmatic and solicit feedback Security should not block shipping, and it shouldn’t be reactive . We triage vulnerabilities based on severity, but not all bugs are considered equal. Listen to the teams you support and proactively seek improvement importunities In collaboration with Tom Maher

  17. Even the most professional, security- conscious developers take it personally occasionally. It's not their fault. A regular drumbeat of "you're doing it wrong" will discourage anyone. Developers usually want to do the right thing - Promote thoughtful solutions that scale and balance technical capabilities with product usability

  18. the hacker mindset breaker mindset substantial knowledge of aptitude application-level attacks and flaws open source contributions, research, publications and bug bounty recognitions builder mindset soft skills strong knowledge of software development, browsers, cloud services, effective communication skills network, crypto and defense strategies and the ability to influence and communicate with engineers

  19. Run security like a business: Sorry, Mr. Hacker, this just isn't working out...

  20. invest in vulnerability management, metrics and reporting

  21. vuln management ship it! deliver bug the fix is released to a vulnerability is found, an production and required issue is created and comms are handled assigned to the team backlog verify fix work on a fix the fix is validated in an the engineering team staging environment, works out a fix, assisted by including different variants the security contact

  22. agile workflows proactive signoff security owner product teams are notified of any each product security engineer security issues and provided with owns a portfolio of applications hardening recommendations continuous testing design review security owners deploy automation security owners are responsible and perform gray-box testing for attending design reviews threat modeling security owners identify weaknesses and mitigations

  23. vulnerability notifications usability is a key the priority, description of the vulnerability, and the remediation target date should be emphasized make it actionable there should be a clear call to action on any vulnerability, indicating proposed remediation make it relevant ensure the right engineering team and security owner receive notifications for their products

  24. prioritize responsibly P0 Critical Priority (P0) – 7 days SLA Medium Priority (P1) – 30 days SLA P1 P2 Low Priority (P2) – 60 days SLA

  25. SLA process starts on delivery only after the right product team has been identified and their engineers notified resets if misrouted teams should not be penalized for incorrect delivery requires exception workflow engineering manager and security manager approval is required if a security issue cannot be remediated within the agreed SLA

  26. vulnerability management 07 – fixed! 01 – deliver bug 07 01 06 – security 06 approves 02 – work on a fix 02 05 05 – manager 03 03 – SLA is due approves 04 04 – exception requested

  27. track release progress open bugs these are bugs where no action has been taken 30 in progress 43 bugs actively worked on 24 resolved fixed & verified

  28. intake time / time to resolution team 7 4.5 2.8 5 team 9 3.5 1.8 3 New In Progress team 3 2.5 4.4 2 Fixed team 4 4.3 2.4 2 0 2 4 6 8 10 12 14

  29. vulnerability lifetime in production measures time since a team starts 22d > 20d working on a bug until a fix is deployed 18d cross-referenced with pull request size, 15d > it can help understand complexity and exposure starts when a vulnerability is introduced > in production, at deployment – this metric measures the effectiveness of Q1 Q2 Q3 Q4 your product security program.

  30. SLA adherence benchmarks recognizes teams that prioritize security highlights teams requiring assistance team a team b team c team d team d team f team g team h

  31. SLA trends over time critical issues all issues low priority Q2 17 Q3 17 Q4 17 Q1 18 Q2 18 Q3 18

  32. Benchmark by vulnerability type 66 % XSS 83 % Session Management 91 % Authorization 44 % SQL Injection 59 % Information Disclosure

  33. developers received 90% security training

  34. teams have automated coverage 73% SCA | RTA | DAST

  35. automate all the things

  36. Complexity is the enemy of security: Secure by default or die not actually trying

  37. scaling source code reviews we cannot of check- 98 % review ins

  38. 40 %+ of security vulnerabilities can be automatically detected

  39. vulnerability demographics auto discovery low- possible hanging manual fruit testing required

  40. vuln sources 40% 35 % 20 % 5 % automation bug bounty penetration regressions and tooling programs testing

  41. CI/CD integration analyzes check-ins automatically log issues manual validation

  42. types of automation static code analysis runtime self-protection understands when an application’s normal analyzes source code flows and incremental check-ins with known rules flow is being exercised by a malicious actor dynamic analysis actual vulnerability capable of testing web service and application endpoints in production

  43. open source software Vulnerabilities in Third-Party Libraries A solid third-party library program is required to review exploitable vulnerabilities and dependencies. Monitor CVEs and public exploits.

  44. successful automation false positives not actual vulnerabilities acceptable risk things that are technically valid but we are willing to live with due to mitigating controls or exploitability issues we care about Important, exploitable vulnerabilities

  45. Invest in product hardening

  46. awkwardness That period with an API after you know what you can do but before you know what you should do The Kaminsky Dictionary

  47. nailing the fundamentals HSTS & CSP Device Fingerprinting 01 02 HTTP Strict Transport Security Stopping account take-over attempts and and Content Security Policy using second-factor Auth smartly Secret Management Proactive Controls 03 04 Storing secrets securely Providing users and admins with management controls and visibility

  48. reducing the attack surface HSTS, CSP & Expect-CT Ensuring that all requests are done with strict transport security and that rogue certificates are not being used (certificate transparency). Content Security Policy enables us to filter out insecure content, avoid referrer leakage and in general block malicious JavaScript from executing

  49. secret management identify secrets store securely rotate secrets use rules & regular expressions key management system automatically perform key rotation implement automatic validation (key vault with HSM)

  50. session management www.nsa.gov Login Apps / oAuth History Device & Active Location Sessions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Scaling From simple models to rich strategies PPPLab Day, November 30th Scaling: recent

Scaling From simple models to rich strategies PPPLab Day, November 30th Scaling: recent

Scaling From simple models to rich strategies PPPLab Day, November 30th Scaling: recent publications Insight Series Tool Animation The rationale for scaling As the SDGs require transformational change, scaling can provide: Reaching more

609 views • 37 slides
Scaling Strategies at USAID John E. Bowman, Ph.D. Senior Agriculture Advisor Office of

Scaling Strategies at USAID John E. Bowman, Ph.D. Senior Agriculture Advisor Office of

Scaling Strategies at USAID John E. Bowman, Ph.D. Senior Agriculture Advisor Office of Agricultural Research and Policy Bureau for Food Security Horticulture Innovation Lab Annual Meeting March 18, 2014 1 Scaling T echnologies Remarks by

344 views • 17 slides
Getting the Government To Do It: Strategies for Mainstreaming and Scaling Entrepreneurship

Getting the Government To Do It: Strategies for Mainstreaming and Scaling Entrepreneurship

Getting the Government To Do It: Strategies for Mainstreaming and Scaling Entrepreneurship Presenters: Moustapha Naite, Minister of Youth & Youth Employment (Guinea) Robert Mawanda, International Labour Organization (ILO)

554 views • 30 slides
Scaling foundational and adapted yield gap strategies One Acre Fund Eric Solomonson AULELIANA

Scaling foundational and adapted yield gap strategies One Acre Fund Eric Solomonson AULELIANA

Scaling foundational and adapted yield gap strategies One Acre Fund Eric Solomonson AULELIANA LUKOSI, TANZANIA Presentation summary 1. What we do and where we work (~5 minutes) 2. Working to adapt the program to heterogeneous conditions (~15

302 views • 16 slides
Analysis of Scaling Algorithms for Matrix & Operator Scaling Contents Scaling Algorithms

Analysis of Scaling Algorithms for Matrix & Operator Scaling Contents Scaling Algorithms

Rafael Oliveira University of Toronto Analysis of Scaling Algorithms for Matrix & Operator Scaling Contents Scaling Algorithms Three Step Analysis Generalization One More Application of Scaling Non-Negative Matrices &

604 views • 15 slides
ETI se Scaling for many organizations Hierarchy Recursive vs T.to eRaokon traverses the

ETI se Scaling for many organizations Hierarchy Recursive vs T.to eRaokon traverses the

Discovery Naming or IN 5 Why name 172.217 11.14 or google.com Indirection Security Isafety concerns How name iEE f google.com Et Challenge Scaling Scaling for many clients Caching D y D ETI se Scaling for many organizations Hierarchy

215 views • 4 slides
High Leverage Strategies in English and Math SOLANO COMMUNITY COLLEGE 3 Strategies in place

High Leverage Strategies in English and Math SOLANO COMMUNITY COLLEGE 3 Strategies in place

Scaling up High Leverage Strategies in English and Math SOLANO COMMUNITY COLLEGE 3 Strategies in place Accelerated developmental English since Fall 2011 Co-req supported transfer-level English since Spring 2016 Placement reform as

355 views • 9 slides
Outline Scaling Scalinga Plenitude of Power Laws Scaling-at-large Scaling-at-large

Outline Scaling Scalinga Plenitude of Power Laws Scaling-at-large Scaling-at-large

Scaling Outline Scaling Scalinga Plenitude of Power Laws Scaling-at-large Scaling-at-large Scaling-at-large Principles of Complex Systems Allometry Allometry Definitions Definitions Course 300, Fall, 2008 Examples Examples

568 views • 27 slides
So#ware Scaling Mo/va/on & Goals HW Configura/on & Scale Out So#ware Scaling

So#ware Scaling Mo/va/on & Goals HW Configura/on & Scale Out So#ware Scaling

So#ware Scaling Mo/va/on & Goals HW Configura/on & Scale Out So#ware Scaling Efforts System management Opera/ng system Programming environment PreAcceptance Work HW stabiliza/on & early scaling

390 views • 19 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (10/18/04) I E S R C E O V

UMBC A B M A L T F O U M B C I M Y O R T 1 (10/18/04) I E S R C E O V

Advanced VLSI Design Scaling CMPE 640 Scaling Technology scaling rate is approximately 13%/year, halving every 5 years. 100 10 m 1 0.1 1960 1970 1980 1990 2000 The size of the circuits also continues to increase. Besides increasing

362 views • 7 slides
Optimal scaling of the transient phase of Metropolis Hastings algorithms Tony Leli` evre Ecole

Optimal scaling of the transient phase of Metropolis Hastings algorithms Tony Leli` evre Ecole

Introduction Optimal scaling of the transient phase of RWMH Longtime convergence of the nonlinear SDE Optimization strategies for the RWMH algorithm Optimal scaling of the transient phase of Metropolis Hastings algorithms Tony Leli` evre

478 views • 37 slides
Outline Scalinga Plenitude of Power Laws Scaling-at-large Scaling-at-large Principles of

Outline Scalinga Plenitude of Power Laws Scaling-at-large Scaling-at-large Principles of

Scaling Scaling Outline Scalinga Plenitude of Power Laws Scaling-at-large Scaling-at-large Principles of Complex Systems Allometry Allometry CSYS/MATH 300, Fall, 2010 Definitions Definitions Examples Examples History: Metabolism

250 views • 20 slides
Outline Introduction What are the cusp anomaly and generalized scaling function? Superstring in

Outline Introduction What are the cusp anomaly and generalized scaling function? Superstring in

Scaling and integrability from AdS 5 S 5 Riccardo Ricci Imperial College London DAMTP Cambridge 14th October Work in collaboration with S. Giombi, R.Roiban, A. Tseytlin and C.Vergu Scaling and integrability from AdS 5 S 5 Riccardo Ricci

893 views • 50 slides
Communication Avoiding Power Scaling Power Scaling Derivatives of Algorithmic Communication

Communication Avoiding Power Scaling Power Scaling Derivatives of Algorithmic Communication

Communication Avoiding Power Scaling Power Scaling Derivatives of Algorithmic Communication Complexity John D. Leidel, Yong Chen Parallel Programming Models & Systems for High End Computing (P2S2 2015) Sept 1, 2015 1 Overview Intro:

776 views • 26 slides
Using EBS with Auto Scaling Groups How to use the immense power of AWS Auto-Scaling Groups for a

Using EBS with Auto Scaling Groups How to use the immense power of AWS Auto-Scaling Groups for a

Using EBS with Auto Scaling Groups How to use the immense power of AWS Auto-Scaling Groups for a stateful Docker application. Background Background In a service-oriented world where requests can come from anywhere at any time, keeping a

1.04k views • 31 slides
Scaling and Universality in Probability Francesco Caravenna Universit` a degli Studi di

Scaling and Universality in Probability Francesco Caravenna Universit` a degli Studi di

Weak Convergence Brownian Motion A glimpse of SLE Scaling Limits with Disorder Scaling and Universality in Probability Francesco Caravenna Universit` a degli Studi di Milano-Bicocca Luxembourg June 14, 2016 Francesco Caravenna Scaling

745 views • 33 slides
WELCOME Thanks for taking the time to learn a little bit about RooLife Group. We hope this

WELCOME Thanks for taking the time to learn a little bit about RooLife Group. We hope this

WELCOME Thanks for taking the time to learn a little bit about RooLife Group. We hope this presentation provides you with some understanding of who we are and why were able to keep our clients so happy. While 2020 is off to a tumultuous

515 views • 20 slides
CHOOSING WISELY WHOAMI @_yoav_ yoav at jfrog.com THE JFROG EXPERIENCE A fast running

CHOOSING WISELY WHOAMI @_yoav_ yoav at jfrog.com THE JFROG EXPERIENCE A fast running

CLOUD VENDORS CHOOSING WISELY WHOAMI @_yoav_ yoav at jfrog.com THE JFROG EXPERIENCE A fast running startup Doing cloud since 2009 2 cloud-based products JFrog Bintray JFrog Artifactory Cloud THE JFROG EXPERIENCE

406 views • 26 slides
Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December

Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December

IBWAS 2010 From Risk Awareness to Security Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December 2010 About me Senior Information Security Consultant / Auditor University Professor: Security,

447 views • 23 slides
Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nrnberg, Germany Rootkits Stealthy malware Hide attacker Modifying the OS

674 views • 53 slides
IRICT 2018 Session Schedule Day 1: Monday, 23 rd July, 2018 Parallel Session I Melur Room

IRICT 2018 Session Schedule Day 1: Monday, 23 rd July, 2018 Parallel Session I Melur Room

IRICT 2018 Session Schedule Day 1: Monday, 23 rd July, 2018 Parallel Session I Melur Room (Main Hall): 12:00 pm 1:00 pm Deep Belief Network for Molecular Feature Selection in Ligand-Based Virtual Screening 12:00 pm 12:20 pm Maged

553 views • 12 slides
Murene Murene Subsea oil il fille illed pressure compensated system The hose conduit is

Murene Murene Subsea oil il fille illed pressure compensated system The hose conduit is

Murene Murene Subsea oil il fille illed pressure compensated system The hose conduit is specially designed as 1st barrier and mechanical protection for copper and fibre optical conductors. The hose is internally pressurized with a dielectric

331 views • 3 slides
A trial is a moral arena in which the character of the players is powerful medicine. It is

A trial is a moral arena in which the character of the players is powerful medicine. It is

A trial is a moral arena in which the character of the players is powerful medicine. It is typically the most important thing to think about while planning where on your opponent you want the focus of judgment. Character Studies, McElhaney

394 views • 7 slides
KEY BENEFITS sustainability put the automotive industry under WHEN USING OUR pressure to develop

KEY BENEFITS sustainability put the automotive industry under WHEN USING OUR pressure to develop

Twaron drives Automotive hoses and belts AUTOMOTIVE DEVELOPMENTS Manufacturers in the automotive industry are constantly looking for ways to maintain their competitiveness by getting innovative products to market fast. Safety issues, performance

772 views • 18 slides

More recommend