Twubhubbook - it's like appsec, but for startups (without notes)

Transcript

1. I T ’ S L I K E A P

   P S E C , B U T F O R S T A R T U P S TWUBHUBOOK

2. Originally from the bay, Brent spends his time doing all

   the fun things LA has to offer while he longs for the days when he can move back home. Finally has a twitter account. a.k.a. @brentjo on GitHub @gsmbj on twitter Brent Johnson TROJAN. BOUNTY TRIAGE EXPERT. BUSINESS LOGIC FLAWS ARE HIS FRIEND.

3. I like dog. Twitter: @ndm Neil “oreoshake” Matatall ASPIRING PARK

   RANGER. DOES NOT LIKE COMPUTERS.

4. W H A T ’ S A T W U

   B H U B B O O K Greenfield In many disciplines a greenfield project is one that lacks constraints imposed by prior work. The analogy is to that of construction on greenfield land where there is no need to work within the constraints of existing buildings or infrastructure - Wikipedia

5. W H A T ’ S A T W U

   B H U B B O O K C O N T ’ D Young application Think pre-pre-pre-pre-pre-IPO.

6. W H A T ’ S A T W U

   B H U B B O O K C O N T ’ D Mature application

7. The Future: 2025 D A Y O N E O

   N T H E J O B Oddly, the mannequin challenge is still even in 2025.

8. 2 4 | Agree on acceptable technology | Always stay

   current | Review architecture | Code review culture

9. 4 | Agree on acceptable technology | Always stay current

   | Review architecture | Code review culture

10. 4 | Agree on acceptable technology | Always stay current

    | Review architecture | Code review culture

11. | Agree on acceptable technology | Always stay current |

    Review architecture | Code review culture

12. B E I N T H E B U S

    I N E S S O F P R E V E N T I O N SECURITY DOES NOT HAVE TIME TO FIX OR FIND BUGS

13. What have we accomplished?

14. Building a healthy culture W E E K 2 O

    N T H E J O B

15. W E ’ R E H E R E T

    O S A Y “ B E C A R E F U L ” SECURITY IS NOT HERE TO SAY “NO”

16. Twubhubbook hits its first milestone 1,000,000 MAUS

17. What have we accomplished?

18. The game has changed, strategies must be updated. PROCESSES MUST

    SCALE CULTURE MUST STAY STRONG FLEXIBILITY IS IMPORTANT

19. FOCUS ON LEARNING “I TOLD YOU SO” IS FORBIDDEN “The

    incident”

20. What have we accomplished?

21. The security team grows D A Y ? ? ?

    O F ? ? ? Mommy, wow! I’m a big kid now.

22. | FRAMEWORK HARDENING 2 4 3 1 | COLLAB WITH

    STANDARDS BODIES | SHARED RESPONSIBILITY

23. The bug bounty turns 3! MORE BUGS, BIGGER BOUNTIES

24. HOLD ON FOR YOUR ASSES PERHAPS TAKE UP MEDITATION Pre-IPO

25. I HEARD YOU HAD TO WRITE A FIFO CACHE IN

    COLLEGE — CAN YOU REVIEW THIS MIPS CODE OUR CORE BUSINESS OPS NOW DEPEND ON? Stack Diversifies

26. Development stack consolidates DON’T BUDGE ON SECURE BY DEFAULT, HARDEN

    THE FRAMEWORK, DESIGN SERVICES SECURELY.

27. TESTS FOR EVERYTHING. ROLES FOR EVERYONE. Beyond basic appsec

28. The IPO engineer = Twubhubbook.appsec_team.first; engineer.company = BayArea.startups.next;

29. “STARTING UP SECURITY” - RYAN MCGEEHAN HTTPS://MEDIUM.COM/STARTING-UP-SECURITY “THE SAAS CTO

    SECURITY CHECKLIST” - SQREEN HTTP://CTO-SECURITY-CHECKLIST.SQREEN.IO/ Further Reading

30. KAILUA KONA, HAWAI’I APRIL 2018 LOCOMOCOSEC.COM @LOCOMOCOSEC Loco Moco Security

    Conference