InfoconDB

Presented at Kiwicon 2038AD: The Dystopic Future is Now (2018), Nov. 17, 2018, 9 a.m. (30 minutes)

In a world where autonomy flourishes, a perpetual stream of new ideas gets executed. As the manifestations of dreams move into our beautiful world, how can we ensure that the safety of its inhabitants is not compromised for progress? How do we create a process that recognizes the unique humanity of builders, makers, and coders? How do we enforce security without spiraling into a dystopian authoritarian force with a boot on the neck of valiant developers everywhere?

At Slack, we’re certainly not perfect. And we recognize that as they are not yet full cyborgs, our human developers are going to make mistakes. Learn about the ways that we set our security teams up for success while still getting cool new stuff out the door as fast as our teams can dream it up...err, and write the code, QA test it, build it and ship it. But still. It’s a fast process. And we want to secure it.

“Process” is often seen as a antithetical to the fast-moving nature of startups; security processes, in particular, can be regarded as a direct impediment to shipping cool features. On the other hand, the security of an organization and its users shouldn’t be disregarded for the sake of speed. Striking a balance between security and nimble development is a vital aspect of an application security team. At Slack, we have implemented a secure development process which has both accelerated development and allowed us to scale our small team to cover the features of a rapidly growing engineering organization.

This presentation will illuminate both our Secure Development Lifecycle (SDL) process and the tooling that we have open-sourced, as well as provide analysis of how the process has worked thus far, and where we'd like to take it. We'll discuss our deployment of a flexible framework for security reviews, including a lightweight self-service assessment tool, a checklist generator, and most importantly a messaging process that meets people where they are already working. We’ll show how it’s possible to encourage a security mindset among developers, while avoiding an adversarial relationship.

Presenters:

Kelly Ann
Kelly Ann is a security engineer on the Product Security team at Slack, where she works on vulnerability assessments of Slack features, as well as educational materials for security best practices for developers. Before joining Slack, Kelly was a penetration tester at NCC Group, and she was previously an eco-pirate protecting endangered species. Prior to studying Web Application Development and Penetration Testing, Kelly worked in Intelligence and Investigations for nearly 15 years, working undercover and coordinating covert operations enforcing environmental and animal welfare legislation. Her experience in Operational and Information Security led her to spend four years with Sea Shepherd, mostly on the flagship. Her proudest accomplishment is crafting the media strategy that forced former NZ PM John Key to hold a press conference denouncing the Japanese whaling fleet in which he is clearly miserable that he has been forced to do so. She held the highest level security clearance, working with confidential sources and evading high-tech tracking by state actors, poachers in Antarctica, and pirates in Somali waters. She led a complex 16-month covert campaign involving multiple ships spanning the globe, navigating international waters and international diplomacy, developing and implementing all security procedures and protocols, and most importantly, maintaining the safety of all ships and crew. Kelly holds degrees in both Media & Communications Strategy and Gender Studies and graduated from Hackbright Academy. She teaches operational and information security workshops with civil liberties organizations, and has won first place in a social engineering Capture the Flag hosted by Women in Security and Privacy (WISP).

Moving Fast and Securing Things

Presenters:

Similar Presentations: