7 strategies for scaling product security...enables you to perform contextual two-factor...
TRANSCRIPT
![Page 1: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/1.jpg)
7 strategies for scaling
product security
QCon 2018 – New York City
Angelo Prado, Senior Director
Jet.com | Walmart
![Page 2: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/2.jpg)
about me12+ years of experience in software development and Leading
Product Security teams at Jet.com, Salesforce and Microsoft
4 times Black Hat Speaker, co-author of 10+ CVEs including
the BREACH attack (SSL Side Channel)
Currently leading a product security team across two continents,
assistant professor in Spain at Comillas University, advising
security startups and non-profits
![Page 3: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/3.jpg)
earlier career attempts…
![Page 4: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/4.jpg)
what is
product security
![Page 5: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/5.jpg)
Product Security teams are the guardians of customer data, fixing
and preventing security vulnerabilities. Inclusive of much more than
just code. Product Security covers the full service and how your
customers use and interact with it securely. It goes beyond securing
the underlying software and includes operational responsibilities.
![Page 6: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/6.jpg)
why do we need
Product Security?
![Page 7: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/7.jpg)
coremission
prevent vulnerabilities build effective automation
perform security reviews harden the product
![Page 8: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/8.jpg)
product security?
who needs
![Page 9: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/9.jpg)
you do.
![Page 10: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/10.jpg)
we do.
![Page 11: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/11.jpg)
Security is reflected in how products are built and operated.
Product Security should be engaged with customers and partners.
Engineering teams must have a consistent interpretation of the
security posture and secure development lifecycle.
![Page 12: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/12.jpg)
7 strategies to scaleBuilding Product Security from the ground up
![Page 13: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/13.jpg)
prioritize relationships
and establish a non-
blocking function
![Page 14: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/14.jpg)
SERVICE
CATALOG
design
reviews
automation
services
security
testingvulnerability
management
training &
research
![Page 15: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/15.jpg)
Product Security should be a
lean, effective, non-
blocking technical
assessment function
![Page 16: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/16.jpg)
rules ofengagement
prioritize relationships over bugsThe number of teams and individuals you interact with will keep growing – In
connecting with other human beings, align priorities and exercise empathy
be thoughtful about prioritization and riskSecurity isn’t always #1 - If you want to build a relationship with someone, you
need to know their priorities. Develop a narrative that resonates with them
be pragmatic and solicit feedbackSecurity should not block shipping, and it shouldn’t be reactive. We triage
vulnerabilities based on severity, but not all bugs are considered equal. Listen
to the teams you support and proactively seek improvement importunities
In collaboration with Tom Maher
![Page 17: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/17.jpg)
Even the most professional, security-
conscious developers take it personally
occasionally. It's not their fault. A regular
drumbeat of "you're doing it wrong" will
discourage anyone. Developers usually
want to do the right thing - Promote
thoughtful solutions that scale and balance
technical capabilities with product usability
![Page 18: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/18.jpg)
the hackermindset
aptitude
open source contributions,
research, publications and
bug bounty recognitions
breaker mindsetsubstantial knowledge of
application-level attacks and flaws
builder mindsetstrong knowledge of software
development, browsers, cloud services,
network, crypto and defense strategies
soft skills
effective communication skills
and the ability to influence and
communicate with engineers
![Page 19: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/19.jpg)
Run security like a business:
Sorry, Mr. Hacker, this just isn't working out...
![Page 20: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/20.jpg)
invest in vulnerability
management, metrics
and reporting
![Page 21: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/21.jpg)
vulnmanagement
the fix is validated in an
staging environment,
including different variants
verify fix
the fix is released to
production and required
comms are handled
ship it!
the engineering team
works out a fix, assisted by
the security contact
work on a fix
a vulnerability is found, an
issue is created and
assigned to the team
backlog
deliver bug
![Page 22: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/22.jpg)
agileworkflows
security ownereach product security engineer
owns a portfolio of applications
proactive signoffproduct teams are notified of any
security issues and provided with
hardening recommendations
design reviewsecurity owners are responsible
for attending design reviews
continuous testingsecurity owners deploy automation
and perform gray-box testing
threat modelingsecurity owners identify
weaknesses and mitigations
![Page 23: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/23.jpg)
vulnerabilitynotifications
the priority, description of the vulnerability, and the
remediation target date should be emphasized
usability is a key
there should be a clear call to action on any
vulnerability, indicating proposed remediation
make it actionable
ensure the right engineering team and security
owner receive notifications for their products
make it relevant
![Page 24: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/24.jpg)
prioritizeresponsibly
P1P2
P0Critical Priority (P0) – 7 days SLA
Medium Priority (P1) – 30 days SLA
Low Priority (P2) – 60 days SLA
![Page 25: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/25.jpg)
SLAprocess
starts on deliveryonly after the right product team has been identified
and their engineers notified
resets if misroutedteams should not be penalized for incorrect delivery
requires exception workflowengineering manager and security manager approval is required
if a security issue cannot be remediated within the agreed SLA
![Page 26: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/26.jpg)
vulnerabilitymanagement
01
02
03
04
05
06
0701 – deliver bug
02 – work on a fix
03 – SLA is due
07 – fixed!
05 – manager
approves
04 – exception requested
06 – security
approves
![Page 27: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/27.jpg)
trackrelease progress
30
24
43
these are bugs where no action has been taken
open bugs
bugs actively worked on
in progress
fixed & verified
resolved
![Page 28: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/28.jpg)
intake time /time to resolution
4.3
2.5
3.5
4.5
2.4
4.4
1.8
2.8
2
2
3
5
0 2 4 6 8 10 12 14
team 4
team 3
team 9
team 7
New
In Progress
Fixed
![Page 29: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/29.jpg)
vulnerability lifetime inproduction
20d
15d
18d
22d
Q1 Q2 Q3 Q4
measures time since a team starts
working on a bug until a fix is
deployed
>
starts when a vulnerability is introduced
in production, at deployment – this
metric measures the effectiveness of
your product security program.
>
cross-referenced with pull request size,
it can help understand complexity and
exposure
>
![Page 30: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/30.jpg)
SLA adherencebenchmarks
team a team b team c team d team d team f team g team h
highlights teams
requiring assistance
recognizes teams
that prioritize security
![Page 31: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/31.jpg)
SLA trendsover time
Q2 17 Q3 17 Q4 17 Q1 18 Q2 18 Q3 18
critical issues
all issues
low priority
![Page 32: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/32.jpg)
Benchmark byvulnerability type
XSS 66%
Session Management 83%
Authorization 91%
SQL Injection 44%
Information Disclosure 59%
![Page 33: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/33.jpg)
developers received
security training90%
![Page 34: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/34.jpg)
teams have automated coverage
SCA | RTA | DAST 73%
![Page 35: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/35.jpg)
automate
all the things
![Page 36: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/36.jpg)
Complexity is the enemy of security:
Secure by default or die not actually trying
![Page 37: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/37.jpg)
scaling sourcecode reviews
98%we cannot
review
of check-
ins
![Page 38: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/38.jpg)
of security vulnerabilities
can be automatically detected
40%+
![Page 39: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/39.jpg)
vulnerabilitydemographics
low-
hanging
fruittesting required
manual
discovery
possible
auto
![Page 40: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/40.jpg)
vulnsources
penetration
testing
20%automation
and tooling
35%
bug bounty
programs
40%regressions
5%
![Page 41: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/41.jpg)
CI/CDintegration
analyzes
check-ins
automatically
log issues
manual
validation
![Page 42: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/42.jpg)
types of automation
static code analysisanalyzes source code flows and
incremental check-ins with known rules
dynamic analysiscapable of testing web service and
application endpoints in production
runtime self-protectionunderstands when an application’s normal
flow is being exercised by a malicious actor
actual vulnerability
![Page 43: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/43.jpg)
open source software
A solid third-party library program is required to review exploitable
vulnerabilities and dependencies. Monitor CVEs and public exploits.
Vulnerabilities in Third-Party Libraries
![Page 44: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/44.jpg)
successfulautomation
not actual vulnerabilities
false positives
things that are technically valid but we are willing to
live with due to mitigating controls or exploitability
acceptable risk
Important, exploitable vulnerabilities
issues we care about
![Page 45: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/45.jpg)
Invest in
product hardening
![Page 46: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/46.jpg)
awkwardness
That period with an API
after you know what you
can do but before you
know what you should do
The Kaminsky Dictionary
![Page 47: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/47.jpg)
nailing thefundamentals
01HSTS & CSPHTTP Strict Transport Security
and Content Security Policy
03Secret ManagementStoring secrets securely
02Device FingerprintingStopping account take-over attempts and
using second-factor Auth smartly
04Proactive ControlsProviding users and admins with
management controls and visibility
![Page 48: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/48.jpg)
reducing theattack surface
HSTS, CSP & Expect-CTEnsuring that all requests are done with strict transport
security and that rogue certificates are not being used
(certificate transparency). Content Security Policy enables
us to filter out insecure content, avoid referrer leakage
and in general block malicious JavaScript from executing
![Page 49: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/49.jpg)
secretmanagement
identify secretsuse rules & regular expressions
implement automatic validation
store securelykey management system
(key vault with HSM)
rotate secretsautomatically perform key rotation
![Page 50: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/50.jpg)
sessionmanagement
www.nsa.gov
Login
History
Device &
Location
Apps / oAuth
Active
Sessions
![Page 51: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/51.jpg)
devicefingerprinting
Proper device fingerprinting combined with behavioral and geolocation analytics
enables you to perform contextual two-factor authentication via SMS or one-
time links / tokens via email, reducing false negatives and false positives
smart and effective implementation
fingerprints are stored over time and
attached to a given user identity
linked to the user
prioritize features with a higher weight,
more specific to your users
unique
understand that certain capabilities for
the user-agent can change
adaptive
![Page 52: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/52.jpg)
controlsproactive
Define Security Requirements
Leverage Security Frameworks
Secure Database Access
Validate Inputs & Escape Data
Enforce Access Controls
Protect Data at Rest & in Transit
Implement Secure Logging
Handle Errors & Exceptions
![Page 53: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/53.jpg)
create a mature
education & awareness
program
![Page 54: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/54.jpg)
threat modeling
Learn to think like a hacker and identify
threats and security objectives. Identify
flows, mitigations and make informed
decisions about residual risk.
![Page 55: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/55.jpg)
self-guided training
deliver secure coding guidelines that are
relevant to the our organization’s
languages and frameworks
at a minimum, common attack patterns,
secure storage, cloud security and secure
feature design should be covered
![Page 56: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/56.jpg)
▪ Clear secure coding guidelines
▪ Real-life libraries & frameworks
▪ Previous vulnerability examples
▪ Actionable code snippets
Keep it relevant! i.e. NodeJS developers
don’t need to know about XML injection
and heap overflow exploitation
classroom training
![Page 57: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/57.jpg)
security
champions
shared accountability
programs like this help you
scale as engineering
organizations outnumber
security engineers
Recognize and reward good
behavior across all roles
![Page 58: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/58.jpg)
leverage the collective
skills of the research
community
![Page 59: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/59.jpg)
why do I need a
Bug Bounty Program
![Page 60: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/60.jpg)
Everything fails.
Even things that
make everything
fail.Dan Kaminsky
![Page 61: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/61.jpg)
launching abounty program
scopewhat to include as your
targets and how to frame it
rewardshow to reward
competitively
recruitingwho to invite to your
program and when
how to maintain hackers
interested over time
engagement
![Page 62: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/62.jpg)
a globalcommunity
20%
20%
30%
10%
20%
![Page 63: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/63.jpg)
Over 170,000 hackers participating
Over 70,000 vulnerabilities found
Over $30 million paid in bountiesData as of June 2018Source: HackerOne
![Page 64: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/64.jpg)
engage your top
researchers
Fly them to Vegas and keep them
hydrated. Be transparent and
overcommunicate. Keep them happy. Fly
them to your HQ. Recruit them if
necessary. Be prompt, reasonable
and technical. Run recurring
promotions and challenges.
![Page 65: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/65.jpg)
Private programs enable you to increase
signal to noise ratio. VIP programs drive
retention. Consider researcher circles for
knowledge sharing. Recruit from active
programs. Reward competitively. Defuse
escalations / disclosure. Resource your program.
![Page 66: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/66.jpg)
deploy a solid SDL
and maturity model
![Page 67: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/67.jpg)
six steps fora good SDL
designThreat Modeling
Design Reviews
buildStatic Code Analysis
Code Reviews
learn and refineRetrospective
Planning
verifyPenetration Testing
ownershipPatch Management
Remediation
Pen-testing
releaseDynamic Testing
Bug Bounty
![Page 68: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/68.jpg)
maturity modelevidence-based framework for evaluating the overall
security stance of a business unit or new acquisition.
Provides an authoritative and consistent roadmap for the
advancement of a the organization’s overall product
security posture. Should be meaningful and objective.
![Page 69: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/69.jpg)
Another day, another layer of abstraction
![Page 70: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/70.jpg)
maturitymodel
level 1 – initial
Application Login/Admin Interface Inventory – Continuous Dynamic
Application Scanning – Customer Data Inventory – HTTPS By
Default – Legacy Source Code Review & Remediation – Product
Security 3rd Party Assessment – Strong Password Hashing
1
Q1 Y1 Q3 Y1 Q1 Y2 Q2 Y2 Y3+
![Page 71: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/71.jpg)
maturitymodel
level 2 – defined
Basic Logging for Security Events – Client Software
is Signed – Encryption keys not stored in source
control – Security Requirements for New Features
and Designs – NGWAF deployed for Web + API
endpoints – In-House Manual Testing of Codebase /
App – No "Roll-your-own" Cryptography – Security
Tools Run Against Codebase / App On Release –
Strong Session Management (AuthN/AuthZ) – Strong
Encryption Standards
2
Q1 Y1 Q3 Y1 Q1 Y2 Q2 Y2 Y3+
![Page 72: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/72.jpg)
3
Q1 Y1 Q3 Y1 Q1 Y2 Q2 Y2 Y3+
maturitymodel
Level 3 – managed
Enhanced Application Logging – HTTPS-Only
(HSTS) – Inventory of open source – SLA + Signoff
or Equivalent Control (90% > Adherence) – Source
Code Check-in Monitoring – Strong Multitenancy
Controls – Multi-factor Authentication – Strong
Secrets Storage – Strong Session
Authentication/Authorization – Threat Modeling of
New Features – Role-Based Access Control
![Page 73: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/73.jpg)
maturitymodel
4
Q1 Y1 Q3 Y1 Q1 Y2 Q2 Y2 Y3+
level 4 – mature and automated
Static Code Analysis at Check-in time – Runtime and
Dynamic Analysis – APIs must support multi-scope
tokens – Bug Bounty Program Coverage – Code
Signing – Continuous External App Scanning –
Field-level Authenticated Encryption – Integrated
Automated Security – Testing with QA Process –
Device Fingerprinting – Test Key/Credential Rotation
![Page 74: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/74.jpg)
5
Q1 Y1 Q3 Y1 Q1 Y2 Q2 Y2 Y3+
maturitymodel
Built-In Honeypot / Indicators
Automated OSS Coverage
HSM and Device Fingerprinting
level 5 – optimizing
Behavioral Anomaly Detection
Usage of App Containers
![Page 75: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/75.jpg)
samplescorecard
security
controlinitial defined mature optimizing
HTTPs by default
Strong Session
Management
Multi-Factor
Authentication
Bug Bounty
Program
Credential
Rotation
![Page 76: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/76.jpg)
the last 0day is in captivity – the galaxy is at peace
![Page 77: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/77.jpg)
thank you !
* you guys were great
![Page 78: 7 strategies for scaling product security...enables you to perform contextual two-factor authentication via SMS or one-time links / tokens via email, reducing false negatives and false](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed6d3f5126754677f630166/html5/thumbnails/78.jpg)
PradoAngelo
LinkedIn.com/in/angeloprado
contact
Check out my SSL Research:
BreachAttack.com