The Tactical Application Security Program: Getting Stuff Done

Presented at Black Hat USA 2015, Aug. 5, 2015, 1:50 p.m. (50 minutes)

How many times have we heard the following pieces of wisdom from CISOs or other security talking heads? Be strategic, not tactical. Build security in - forget about break-fix.

Like a siren song, these words have caused a great many professionals to crash upon the rocks, and the strategy-first camp is simply doing a disservice to your users. Maybe that is why the average CISO only lasts a couple of years.

In our talk, we're going to tackle this conventional wisdom in the name of Getting Shit Done and propose a new path: The Tactical Security Program. We've established a lightweight, heavy hitting team thats performed over 400 assessments, handled over 900 bugs, and established a private bug bounty program all in one year, and we'd like to share some of our practices. If you are managing a program, you will come out of our talk with some actionable advice. If you are a worker bee, we will teach you how to subvert the system from within.

And while we're at it, we will tell you why following some of the newer trends of security wisdom, including embracing public bug bounty programs, is also a bad idea. Yeah, we said it.


Presenters:

  • David Cintz - LinkedIn
    David Cintz is the Senior Technical Program Manager for Security Ecosystems at LinkedIn. He is responsible for working with outside researchers, running the private bug bounty program, smashing vulnerabilities across the entire company, and coordinating application security incident response events. David's prior experience includes work at Black Hat, Zynga, and Chevron. Similar to his professional career, his interests in Search & Rescue and Aviation play into his passion for managing the unpredictable.
  • Cory Scott - LinkedIn
    Cory Scott is the Director of House Security at LinkedIn. He is responsible for production and corporate information security, including assessment, monitoring, incident response, and assurance activities. Prior to joining LinkedIn, he was at Matasano Security, where he led the consulting teams based in Chicago and Mountain View. He has also held technical management positions at @stake, Symantec, and ABN AMRO/Royal Bank of Scotland. He has presented at Black Hat Briefings, USENIX, OWASP, and SANS.

Links:

Similar Presentations: