A Pragmatic Approach for Internal Security Partnerships
Esha Kanekar, Scott Behrens at AppSec California 2019
Why do we have such a hard time getting engineering teams to care about vulnerabilities? How is it that we are fixing lots of vulnerabilities, yet are still falling ever further behind on the actual risks? These questions both have the same answer, but getting to it requires empathy, trust, courage, and a giant step back from our day-to-day approach to security.
In this talk we will share our experiences about creating proactive partnerships with engineering and product teams. From the ways we have seen this fail to recent success stories, we will illustrate specific practices that help developers and security teams focus and align on a shared view of risk, rather than a laundry list of vulnerabilities: the leverage that comes from enabling rather than gating, automating for visibility and action to manage scale, threat modeling across organizations rather than individual applications, and the particulars of how we get big security features onto busy product teams' roadmaps.
Scott Behrens
Senior Application Security Engineer, Netflix
Information security engineer with a focus on helping organizations enable their business's success. Extensive experience in application security, penetration testing, and security automation at scale. Researcher and publisher of multiple articles discussing social media, code obfuscation.
Esha Kanekar
Senior Technical Program Manager, Security, Netflix
Responsible for leading and delivering full life cycle of projects which includes conducting risk assessments, gap analysis based on security assessments and providing remediation road maps to organizations.
In this talk we will share our experiences about creating proactive partnerships with engineering and product teams. From the ways we have seen this fail to recent success stories, we will illustrate specific practices that help developers and security teams focus and align on a shared view of risk, rather than a laundry list of vulnerabilities: the leverage that comes from enabling rather than gating, automating for visibility and action to manage scale, threat modeling across organizations rather than individual applications, and the particulars of how we get big security features onto busy product teams' roadmaps.
Scott Behrens
Senior Application Security Engineer, Netflix
Information security engineer with a focus on helping organizations enable their business's success. Extensive experience in application security, penetration testing, and security automation at scale. Researcher and publisher of multiple articles discussing social media, code obfuscation.
Esha Kanekar
Senior Technical Program Manager, Security, Netflix
Responsible for leading and delivering full life cycle of projects which includes conducting risk assessments, gap analysis based on security assessments and providing remediation road maps to organizations.