Engineering Empathy: Adapting Software Engineering Principles and Process to Security

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 11 a.m. (40 minutes)

Software engineering has a lot to teach our 'security engineering' teams - this session will be a live retrospective of a professional role reversal - dropping a principal security engineer into a runtime team, and placing a principal software engineer into the platform security assessment team.

We've got stories and live object lessons.

Attendees will return to work knowing exactly how we have implemented these ideas to partner with engineering to protect a world-class platform as a service running millions of customer containers and data services. This session is aimed at both IC's and management.

Shifting left is a great marketing tagline.

The valuable work is changing your security team's principles, processes, and culture to align with the principles, processes, and culture of your organization's software engineering teams allows you to develop empathy for their constraints, tools, and processes. It also allows you to build your own tools, processes, and requirements in ways that are more actionable, realistic, and easier to understand and implement.

Presenters:

• Camille Mackinnon - Principal Infrastructure Engineer, Salesforce
  Camille <span>Mackinnon</span> is a Principal Infrastructure Engineer at Salesforce and has over 10 years of experience in software engineering, cloud infrastructure, and site reliability engineering. During her time at Salesforce, she has worked on Heroku's data infrastructure engineering team, operating millions of datastores in the cloud, and she now works on the security assurance team. Her current role includes performing threat modeling and architecture review, secure code review, penetration testing, security research, reverse engineering, and exploit development with a focus on containers and cloud infrastructure.
• Craig Ingram - Principal Security Engineer, Salesforce
  Craig Ingram is a Principal Security Engineer at Salesforce and has over 15 years of experience in Information Security. During his time at Salesforce, he has also worked outside of security on Heroku's runtime infrastructure engineering team building and operating large scale container orchestration platforms. His current role includes performing threat modeling and architecture review, secure code review, penetration testing, security research, reverse engineering, and exploit development with a focus on containers and cloud infrastructure.

Links:

• https://www.blackhat.com/us-20/briefings/schedule/#engineering-empathy-adapting-software-engineering-principles-and-process-to-security-19659

Similar Presentations:

• Black Hat USA 2019 / Every Security Team is a Software Team Now
• AppSec USA 2015 / Security as Code: A New Frontier
• DeepSec 2017 „Science First!“ / Building Security Teams