Events Add an event Speakers Talks Collections
 
Duration 40:01
16+
Play
Video

Infosec Makeover: Love it or Leave it, Product Security is Here to Stay

Jen Trahan
COO at Sierra Club
+ 1 speaker
  • Video
  • Table of contents
  • Video
RSAC 2021
May 20, 2021, Online, USA
RSAC 2021
Request Q&A
RSAC 2021
From the conference
RSAC 2021
Request Q&A
Video
Infosec Makeover: Love it or Leave it, Product Security is Here to Stay
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
63
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

Jen Trahan
COO at Sierra Club
Wiktor Szymański
Director, Product Security at Discovery Inc

Jen Trahan is a passionate, hands-on security leader who focuses on enabling developers through automation while scaling security to match business needs. A strong proponent of practical security, she is experienced in general application development and security, CI/CD pipelines and mobile/api/web pentesting. In a variety of roles, Trahan has built, shipped, and secured software for millions of customers for over 20 years. By baking security into the culture and focusing on the basics, she meets developers where they are, using their toolsets and speaking their language.

View the profile

Wiktor Szymański is a Product Security Director who has been immersed in Infosecurity for over eight years. Before joining the Product Security team at his current employer, he worked as a Consultant for Big 4 companies and an Application Security Expert for a financial institution. He is fond of designing and implementing security mechanisms, conducting penetration tests, and resolving complex security problems and dilemmas. He is a graduate of the Warsaw University of Technology and Technische Universität Berlin. Board game geek, LEGO enthusiast, and true fan of sharing knowledge, Szymański likes speaking at conferences and writing articles.

View the profile

About the talk

Jen Trahan, VP, Global Product Security, Discovery Inc. Wiktor Szymański, Director, Product Security, Discovery Inc. In the last couple years we have seen the construction of a new trend called Product Security. This session will frame in what Product Security is and how to determine if an organization should renovate to include it. Additionally, it will provide insights into the right practitioners to get folks there and walk through a case study of hiring Product Security Engineers in Central Europe.

Share

Hello everyone. My name is John Trahan. I am a VP of product security and I'm here with Victor schmansky. You want to say a big? Thank you for coming and joining us. We can go ahead and talk about information, security makeover, and specifically want to take it into product security. If you have any questions during your presentation, please feel free to ask them during the chat. So when I told a friend, I was going to be presenting on product security. They ask me a really great question and it turned out. I didn't know the answer to it. So what they did ask me

is how many companies are actually doing pedicure. And while I've heard of security for the last decade and certainly it's hit a fever pitch here in the last for 5 years. I should have no idea how many companies are doing fine. So I decided I try to measure that myself. So I went and looked at the Fortune 100 companies estimate who's winning products security. I'm looking for anyone who is hiring private security at any level in my very official spreadsheet. Was that 19 out of the hundred.

We're actively hiring products security. That's probably 19%, obviously, so it's safe to say that 19% of the Fortune. 100 companies are actively hiring somebody for product security. Right now. It is only, when I looked in certain mainstream tech companies, I found it was somewhere closer to 50% or actively hiring part of security. So, we know that the number is probably even more than this. Open L1. And five companies is doing product security. Let's talk a little bit about what it is. Truth is. There's no consistent or standardized framework. For what?

What makes products security? I'd say that there are a lot of merging and working definition of security to a number of them, got them here. He's a big things as we want to call some key important aspects, that all of these definitions call out. So, in this case, a superset of security, a particular products and systems, and then a partnership with all the stakeholders as well as across the entire product, life cycle. And then lastly, across discipline. And I think I would add

to that, all those great definitions. I would add that, in my opinion. The part of security is an approach for structuring your security program. Around the threat model of a product and the entire scope of that product. So now we have a definition for security was talking about some questions or some confusing areas that I've definitely had some heated debates with some co-workers about one of them is, what about Enterprise security? How does that relate? The other one is about application security. Let's walk through the main components of an Enterprise and what it takes

to enable a business to go buy this day. We've got data centers laptops. Obviously, Jessica law offices, in Psych email wireless networks sensitive data mobile devices that your employees might have as well as other systems like me. TC and all of these are some things that bad actors including sharks are very interested in taking advantage of an Enterprise security is really focused on all the aspects of it and apprise and really about protecting the Enterprise as a whole. Tell us walk through a product in the aspects that we need to

consider for that. In this case. Let's talk about a product that might be an e-commerce product. For example, and we're going to look at this from the consumers point of view. I'm going to product in the center unless we think about what consumer might interact with sew-ins are going to provide us with sensitive data, so that we can ship them a product. For example, they're going to be stopping through or applications and we have content that that's feeding into those applications behind the covers. A lot of this

has probably hosted may be in our example. In a cloud environment, their developers who work with all of those different applications and content Pipelines. We have lots of different types of operational tools at tell us from the consumer metrics, how they're enjoying their product all the way down to whether or not our systems are up and running as we speak them and just under all of that coat. In the end, application development side of things. All of this makes up the products surface area and all the different components that make up, what I would consider product. And again, it's

like an Enterprise environment. They're bad actors. Fraudsters. Bots, aliens. They're all looking to do something, potentially to exploit these systems and products security is really focused around the end end of securing these products. As you can see from an Enterprise vs. Product security. There's a very significant surface areas in both of these circles here. They've likely both require very robust security controls, but they might have very different information, security capabilities needed. And so they're both very important, but they may have very different security

requirement. Now, let's talk a little bit about application Security. Application security is focused primarily. And historically on the top half of what we have here for our example product. So things like the applications, the sensitive data, the source code, and the development pipeline for getting those applications to our consumers. And as you can see that leaves a lot of other things kind of out in the cold and our favorite aliens are coming in and they they're not protected by application security cuz we've got some other things that are out of

scope on that aren't protecting the product here. Can I double click into that little bit more application security usually focus a lot on the analysis and then we had our big wave of shift left. And that was great. That's really about putting security more and how we're building a product and I think that is that his funeral really move the needle a lot but there are other areas. Like, for example and appsec team is generally in a working very closely with the engineering team to prevent things like account takeover tax. For example, for something like a consumer, Commerce

product of creating strong passwords, all these, Bray controls, but generally speaking, a knapsack team is interacting with the customer care department, for example, to walk through their manual Play books and, you know, maybe not working with them for things like social engineering attacks. That might actually present a real security risks to the consumer data, coming through them or manual. Customer service representative. That's not coming through an application for example, or other areas like operational readiness. Most for the entire operational Readiness,

I getting a security relevant logs, Etc. Into the Sim ensuring that we have. I think the cloud infrastructure logs are in the same. That's generally not been on the preview program. So we talked a little bit. I kind of threw out a e-commerce product out there as an example, but let's talk a little bit about what a product might be. That's a, if a very high-level to think about anything that is built by your company, that is important to the success of your organization. Obviously, I'll walk through some very specific product type that you can think about, but you never really had a

high-level. Something. I stopped by your company, that's important to the success. So it might just be completely internal. So obviously, things like video games, and video game platforms, maybe some more traditional products coming off a factory, line-up systems of cars, a Distribution Systems, a software for Dropship, for example, Perhaps you have a brick-and-mortar port portion of your company, and it has a consumer merchandise, and in-store visual experiences. Medical equipment are becoming implanted. Devices are becoming

more and more popular and more. More important to Consumers. That would be really interesting area to look into this. Will they have consumer reservation systems? They might also have very robust. Internally built, critical staff, scheduling software that might be really critical to the operation of the of the business. I would consider that to be a product. With the factory equipment, other things like data science and business intelligence system, BT LML, all of those decisions might need to focus security area. That

is really important to the success of your company. And equally I sometimes think about it as a brand think about a product. Is it as a total brat. And I think about not only the consumer applications, but is there a marketing site? That's also teething that application to come out tomorrow and also think about it as a brand. Great. So now is considered the entire scope of what makes up a product. In our case. We've got our example, consumer product, an e-commerce product that might be a collection of products in your world. But now he's going to consider what what makes up. Kind of

products. Let's consider what kind of information security capabilities. It would be required to have to secure each of those different areas. Are we going to do is an exercise or we're going to terman, what kind of information security organization and capabilities. We would need to secure this product. You want to do this very objectively. Don't consider what's already in your security organization. Just consider what you do from scratched? Can you hire to do this just to secure this product of these type types? What would you build? So working with our example here. Let's start with the

fact that it's hosted in the cloud. I think that's a good place for us to start. So we want to make sure that we have a security program that would make sense. Detection catalog, anomaly detection, audit logs, identity management. Etc as well as configuration clients excetera. So we definitely want to make sure we've got a straight program. Ransom or upside of things. This is where we'll find some more of the basics of classic application Security in. And a lot of the Dead Cyclops shift left type of application security that everyone's

talking about a couple other areas that historically, I haven't seen more in the septic outside of things pacifically. I want to call out operational security because things like monitoring and alerting and and dashboards on the application layer and & Beyond is really important to me, want to make sure that that's based in. Then let's think about what our inventory. What is the footprint? What what makes up this product or brand? So, thinking through an external inventory? What does it look like from the outside world collecting and classifying that data, as well as other things related to

your cloud account inventory? And then obviously, a robust vulnerability Management program would be something that you want to build. And last but certainly not least was talking about the design. So be something we want to do for a product like this. We want to make sure we include all of the aspects that you'd have an amateur application security program. The other avenues that prevent risk to the products of things, like I said, customer support. And if you have other things about feature design and threat modeling, as well as technical assessment and pull all of that

together and what you would end up with is something very large that would be the end. The end of everything it would take for my capabilities, point of view for an information security organization to properly secure a product such as the one we have here is an example I want to. Can I call out is that, if instead this product Commerce products, you know, perhaps this product was an embedded product. You might have a whole section on physical security and your physical supply chain, and how you get your firmware burned into your invite a device. That would be totally appropriate for that

type of products. So this is really meant to be an exercise of thinking about the difference, surface area model and how that match the capabilities of how you would protect and defend that. Now we've completed, would I hope to be a very objective view of what it would take to secure a product like this and let's bring it back to your existing or so in our exercise. I'm going to go through and talk a little bit about if I had an organization that had a product that we've been talking about and then taking that based on what I have in my existing organization and looking at places where I have

some gas. So we're going to walk to this mind, Matt from the previous slide and in each aspect of it really assess whether or not your programs capabilities are denoted here and actually do they exist. And so, in this case, what I've done is anything that's red with a Bold Edge are true, gas and capabilities. That means I'm missing. Missing school process. People that know how to do these types of security capabilities are more things that exist within my organization, but maybe I currently don't use them for products. I use them more for it,

Sophie. Thunder Valley management, maybe. I'm a very robust program for Enterprise. It. Laptops, for example, but inevitably Management program for that. But I don't have that applies necessarily to to the infrastructure that that makes up a product or going through an identifying gaps for areas where I just don't have those capabilities or areas were not leveraging what I already have. So this exercise is really important to determine how well you are position to be protecting your products as you go through this exercise.

So far we talked about what a product security is and how it right relate to Enterprise security and how it is a superset of application security. We have gone over what the concept of a product might mean in your world. And then we've done that, lightweight brainstorming exercises for end, and what kind of security program, would you need to secure that product and then finally kind of how to think about highlighting gaps, based on that brainstorming model for what kind of security capabilities you have. I want to transition more into focusing on the people that make up a product

security program. So recently, I've had a major construction project happening my house, which has been very educational for me. And there are many aspects that make up a large remodel programme project in my house. I am definitely closer than Architects and Builders as well as everybody loves their City inspectors and drywallers and electricians and plumbers. Thankfully. I also have a security contractor and they're amazing and they had their fantastic company, who sent a really great job of making

everything work really, really smoothly, and I'm really thankful for that. As I start to think of all the other subsystems, that make up my house in the parts in my house, that that need to be taken care of. So things like physical security and making sure all of that is setting for a window. And those kind of things, I would never know about smoke detectors, and fire extinguishers, and, and other kind of CO2, alarms excetera, so They work with the repair people safety specialist in the ensure that you know, we're complying with the fire department was thinking through this came very clear to

me the importance of my contractor. When he's having a small surgery. He wasn't eager drywaller, who was trying to get their job done and they waited for the plumber and an electrician to finish their work and they were about to basically drywall over everything as they're supposed to. But the problem was it that the inspection haven't happened yet. And so we almost had a huge issue where the inspector we hadn't had a chance to sign off on all of the plumbing and wiring for the drywall or has covered it all up. And thankfully this,

you know, was caught before it became a huge financial problem, but it was during this time. I became acutely aware. Value of my general contractor. He's great at fabricating things himself. I've seen him build full walls and do plumbing. Excetera. He also understands the scope of the project and he had a Keen Eye for all of the different cross-discipline requirements and why they're important and what feeds into what area. And so that was almost a costly mistake. And it made me think a lot about the value of a general contractor. So I started thinking, what is that is

what is a general definition of a general contractor? And he really needs. It is exactly what that my company is doing really responsible for the end and material labor for the construction project and they might bring him special, specialized talented and specialized people to do things like HVAC xcetera. But, you know, for the most part, they they want everything themselves. And when I started thinking about product security, I realized the product Securities, actually just the general contractor of infosec. And so do a product security team is responsible for all of the

labor and materials, and equipment and Engineering tools for securing a product. They might work with specialized subcontractors or smes to perform parts of the security program, but ultimately, they're a lot like a contractor of of infosec. Go back to our house construction this time instead of a house with think about it. As our company's project products that were building there still an architect has me all over use that word, but they're still an architect Isabella compliance, as well as designers and business owners, as well as a

devops organizations. Here's our lovely products, security professional and they are the interface between a lot of the other subsystems that help keep the products safe such as the sdlc, secure development, lifecycle monitoring. And I work with a lot of the other areas within the organization, such as security, engineering staff SEC team, and the socket in sitting right in the middle of where their general contractor capable of doing a lot of the, the info sex for a,

for a specific product, but they also work really, really closely with the recipes in there. Activision logo quickly threw kind of the key areas of of what makeup product Security Professionals day to day. So they are, obviously, they were pretty closely in relationships. So business relationships with the product business engineering teams with the engineering that is actually doing all of the product development, as well as their own emphasizing. They have to go to the Quality relationships are based are procedures

on board, the security tools and programming. So you think about things like a cloud schools, and intrusion detection tools, an anomaly detection on board, the products that they work with into the rest of the information security program. We also are capable and responsible for ensuring security assessments happened on that on that product, and they're also from a from some of the dashboards and metrics. There's no one in the organization. That should know, the security layout of that

product more than a security professional. So they're great person to actually come up with good dashboards for measuring the security of that product end-to-end. Additionally. They are supposed to manage expectations. I'll be the main point of contact for, for security for that product. So when they have a question and they need to get some consultation and assessment that they manage that with the products themselves. Best sister in any of the automation that might be needed for things like, continuous integration, continuous, deployment, and last, but definitely

not least. They prepare the product for a logging and immigration and they help for modeling paste. Alerting in one book. You a lot of the different subjects, aplenzin cross-discipline work of an information security professional. So we just talked a lot about how security individuals have a lot of responsibilities. So might be how to structure those products Security Professionals within your organization and are not within your or, and unfortunately,

I have to say it depends. And and I really hate to say, it depends, but it is does it depends very heavily on what kind of products your organization and Company. He is and how big of a focus you have on those products. And so I think the best way to go is to start by looking through the unique capabilities that you might need. And using that mind map, that we created earlier to think about where you might have some gas and where you might need to structure some of your organization around those gaps of did you have a lot of gaps or just have like one or two and you can just, you know,

flush out one of your programs a little bit more and just start applying it to a product. And therefore, you would have a pretty good set of products security covered from a capabilities point of view. Additionally, from a structure. I seen a lot of Team since we were talking about this earlier since you a lot of teams and organizations, build out their application security and just extend that to be called the product. This is a valid approach up at the important point I'd want to make is that we want to make sure that the application security as it extends to be a product security,

is truly not a rename that really is taking into everything, Beyond Your sdlc, Everything beyond the application and really thinking about it from a holistic product and brand point of you to make sure you're not missing other manual areas, other places, represent risk, that have nothing to do with an application or the application development life cycle. Also, you should consider whether you want to avoid spreading your ass, 16 to to thin. When you expand their scope to include other areas. Instead. I would encourage you to consider leaving here a sec team as a specialized skill area

and instead build out a subset of parks. Specialist as a team, and in a sign those five security specialist to specific areas, baby, based on product types. Of a lot of embedded product Security Professionals around those products. And if you have any Commerce, maybe a couple around that, or you could do a based on brand or you to Bayside motel. And no, it really depends on how your your company is organized, and how your products are organized in your business. So this point we have talked about products security and what it is discussed, kind of what you can think of a product

might be thought about what kind of capabilities. It might take to secure a product and looked at all the potential gaps that you might have in your existing information, security organization. And finally, we talked about what a product security professional is, and how they might fit into your overall information security program. And since our security, as I said before, it depends greatly on what kind of products are making, their truly is no one-size-fits-all structure, but, I hope that I've given you some of the thinking about product security and how it might fit in your organization

and kind of how you would go about determining that and working out whether and how you might add pots to cook serious, Focus areas in your information. I'm going to head off to Victor so he can walk you through a case study of hiring product Security Professionals within Europe. And with that, I would like to briefly share with you. My experience from hiring for a public security position in Central Europe, which hopefully will make this process easier for you. In the future will naturally. It is different and your mileage may

vary, depending for example, on your location and organization type. So my sorry dates to September 2020. When I was informed by my speakers and the head count for the public security team will increase, great news about life, couldn't be better and we were looking for a candidate in Poland for the role of product security engineer. And to be honest. I felt Dan the hiring of a skilled individual. For that particular position will be a piece of cake. Why? Well, mostly because there's a little technically skilled and motivated people. Potion to set community animal is

interesting. And in my opinion, and allows a candidate, not only to demonstrate but also to develop new skills. And Mary areas of intersect, an hour job offer was similar to those published by the industry leaders. Amazon AWS, Tesla, or Facebook is basically require the knowledge in the area of application security. Penetration, testing, it architecture where they have ups and container security, knowledge wear nice to have. At the upper look pretty solid. And after publishing there was nothing more to do than to wait and time went by

one week after another and don't feel this moment. Everything was straightforward but things started to go south from here. It wasn't, even the fact that be applications that were sent to as big as the job position. There are no CDs or resumes at all. And it look like we were heading for a bumpy ride. And obviously, we needed some troubleshooting to discover the problem. Naturally, when you troubleshoot you check that most of these things first and step-by-step. You go, you get to the bottom of the problem. Well, I started by checking, if the pages

through which people send their CDs work and I asked her for help and they said they have it. Everything works fine from their perspective and for this particular equipment process and they use the same applications and services, and ask for other ideas, security-related position. And they did not notice any problems with the flow. So I'm an insecure person. I trust and I like to believe that I did was most of the Angels, like to meet you would we have done and being do my place? So, I created a fake online profile. I generated a fake photo

using, one of the available websites designed for that. I may not be nice reason, which included a Technical University abroad for years of application security experience. industrial industrial certificate industry certificate and I send it and You wouldn't have guessed what happened it work. The edge of the parking was indeed in the bus ride and the tools they used for the recruitment. We're workin. So this wasn't the issue and it was something different. Now. The only thing I needed to do was to explain HR, why? I didn't want to invite the only candidate that

applied for this position, but luckily, they were quite understanding. So, I needed to try something different and I decided to ask my friends without looking at the description of the position. Do they, what do they think of when they hear the name, public security or public security engineer, just for you to know each of them has 5 plus years of experience in the field of information security. And to be honest, their answers surprise me. One of them said that. Product Securities, probably recruit men to an

antivirus company. And other said that, if the product we sell is security that this might be, the best must be Outsourcing. I also heard that this must be a tech support jobs focused on security issues, like helping to do backups or configure 18, add to the suicide. And one of my friends even said that this is a buzzword, you never heard them out and she doesn't know it. So this is what you was even worse than I thought. And at least we started to realize that the issue we

are dealing with is a problem with recognizing the night and the brand So we started to approach potential candidates. No don't need to ask them if they were interested in our offer but also to talk with them about the thoughts, they have about the position and their responses were also really interesting. So some people said that the job position is really interesting but not for the particular point in their career they are right now so they might be interested in this position in the future when they got more experience. That's where we try to

hire said that we are looking for an IT security going to master a developer interested in moving to intercept. He told us that we were probably searching for a cybersecurity wizard and Eye Consultants though that we are looking for an implicit Commando and this is interesting because he this is a compliment from his side. He thought it was great. So generally the old stuff that we are looking for a unicorn. Okay, so we knew what we were dealing with. We went back to HR with all those opinions information and knowledge that we

sit down and modified our job description. We also focus more on explaining to our candidates. What was the role about, and what opportunities in print and finally, after some twists and turns we found our candidate and you might ask to fix this. From our experience in a community, which is not acquainted with the concept of public security. The best candidates comes from consulting, firms where they were used to do various projects and have broad experience in various intersecting lines,

and also people from smoking Ponies were, there's not a lot of infosec personnel and you need to get familiar with security stuff and handing security. As you go. So what I've learned from that experience, and what I wish I knew, when I was starting the recruitment process, is that product security. Although being on the market. Let's say from 2013 is still in its infancy level or stay at least in Poland and it will take some time for people to associate the name for a security. What what

it really means. And since the concept of public security is no one will recognize that leads outside the United States. The recruitment process can be a real wild west candidates that match. The profile don't have their job searches alarms, trigger to public security and I have no candidates applied for the position, but they don't fully grasp will just about and because of that, you will probably develop more time and energy than expected. Basically more time and energy. If you would compare this recruitment process through a process, where you recruit An application security

specialist or a penetration tester. And to be honest. I don't see this situation to change without more awareness being spread about what particularly is during I'll look on me tops and conferences. And I think that knowing all of that would allow me to approach the situation differently in the past and make better decisions, and I would find the ideal candidate bastard. So to sum up with Jan and I've been talking about doing this presentation. If you would like to apply project security to real program,

right now, you should compile a list of the most important product types. You have enumerated, the scope and create a mind map with gaps. Is that you found. I'm looking for suitable candidates the within the existing team. They might be some intersecting lines that will make great brother Security Professionals within the next three months trying to develop one full-time, employee to product security area. Only an address, 19 address highest risk, and your company. After 6 months, think about this experiment and decide whether this was a good approach and you should

divide, no resources to protect security or maybe pearly secure is no, no, no more suited for your company. On the other hand. If you are hiring for a project security position, outside the US in the near future, you should buy a job description that attracts people that in your opinion, feed the strong, in our case, do Square consultants and infosec team members from smaller organizations. And what I mean by that is that you should put in your job descriptions towards. Those people something like fast-paced company learning opportunities which bring

Corporation with developers business owners and other infosec team. There's a possibility to do the cross disciplines between in for security and HR managers to look for the people who are interested in those offers within the next three months. If you don't get any hits and try updating your job description dies, on the candidates feedback, and just do some troubleshooting. Let's hope that after six months. You'll enjoy your new employee. And if you have some time, please spirit and share your recruitment experience during an online meet up, or

I come friends. Thank you very much. If you have any questions, please join us on the q-and-a session following this presentation.

Cackle comments for the website

Buy this talk

Access to the talk “Infosec Makeover: Love it or Leave it, Product Security is Here to Stay”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “RSAC 2021”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Susam Pal
Senior Architect at Walmart Labs
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Jabez Abraham
Senior Cyber Security Cloud Architect at Paige
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Mike Jankowski-Lorek
Director of Consulting at CQURE Inc.
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “Infosec Makeover: Love it or Leave it, Product Security is Here to Stay”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
816 conferences
32658 speakers
12329 hours of content
Jen Trahan
Wiktor Szymański