A pragmatic approach for internal security partnerships

Presented at Diana Initiative 2018, Aug. 10, 2018, 4 p.m. (50 minutes).

Why do we have such a hard time getting engineering teams to care about vulnerabilities? How is it that we are fixing lots of vulnerabilities, yet are still falling ever further behind on the actual risks? These questions both have the same answer, but getting to it requires empathy, trust, courage, and a giant step back from our day-to-day approach to security.

In this talk we will share our experiences about creating proactive partnerships with engineering and product teams. From the ways we have seen this fail to recent success stories, we will illustrate specific practices that help developers and security teams focus and align on a shared view of risk, rather than a laundry list of vulnerabilities: the leverage that comes from enabling rather than gating, automating for visibility and action to manage scale, threat modeling across organizations rather than individual applications, and the particulars of how we get big security features onto busy product teams' roadmaps.


Presenters:

  • Esha Kanekar - Senior Technical Program Manager at Netflix
    Esha Kanekar is a Senior Technical Program Manager at Netflix, where she helps the Product and Application Security team build security programs and drive large cross-functional security initiatives organization wide. Previously, she has held a variety of roles including as a security consultant with Cigital, leading the Application Security team with NVIDIA, and managing vendor assessments and other large scale data security initiatives with LinkedIn. With 10 years in security, Esha has a wide range of experience including running penetration tests, vulnerability management, implementing security solutions (static and dynamic analysis tools), and program management.
  • Scott Behrens - Senior Application Security Engineer at Netflix
    Scott Behrens is a Senior Application Security engineer for Netflix. Before Netflix, Scott worked as a senior security consultant at Neohapsis (Cisco) and as an adjunct professor at DePaul University. Scott's expertise lies in application security, security automation, and penetration testing. As an avid coder and researcher, he has contributed to many open source tools for both attack and defense. Scott has presented security research at DEF CON, DerbyCon, Shakacon, ShmooCon, SOURCE Boston, OWASP AppSec USA, Security B-sides Chicago, and many other conferences.

Links:

Similar Presentations: