tl;dr sec

Academic rigor, industry practicality. We write about security automation, scaling application security, and automated bug finding techniques.

We try to give back to the security community by giving talks and trainings to share knowledge from our areas of interest and expertise.

This page organizes talks and trainings we’ve given by topic.

Trainings

Augmenting Penetration Testing with Lightweight Static Analysis

These trainings started with discussing threat modeling and tips and tricks for efficient source code review as well as dynamic testing.

We then gave an overview of the pros and cons of automated bug finding techniques and ended with a hands-on lab where attendees wrote custom lightweight static analysis scripts to find potentially vulnerable code.

Augmenting Penetration Testing with Lightweight Static Analysis
Daniel DeFreez, Clint Gibler
CactusCon, Mesa, AZ. September 28th, 2018.
abstract

Augmenting Penetration Testing with Lightweight Static Analysis
Daniel DeFreez, Clint Gibler
ShellCon, San Pedro, CA. September 21st, 2018.
abstract

Industry Talks

Scaling Your Company’s Security

While the DevSecOps State of the Union and How Leading Companies are Scaling Their Security talk series focus on providing an overview and distillation of the current state of the art in modern security practices, these talks instead take that info and present it in an actionable, prescriptive (rather than descriptive) guide for things company’s can do to drastically scale their security efforts.

DevSecOps State of the Union
RSA Conference, San Francisco, CA. February 25 2020
abstract

How to 10X Your Company’s Security (Without a Series D)
Clint Gibler
BSidesSF, San Francisco, CA. February 24 2020
abstract

An Opinionated Guide to Scaling Your Company’s Security
Clint Gibler
AppSec California, Santa Monica, CA. January 24 2020
abstract slides video

How to Write Custom, Lightweight Static Analysis Tools

In this talk, we describe how to use open source tools to create custom checks for interesting code patterns, for example, to detect bugs or anti-patterns.

Rolling Your Own: How to Write Custom, Lightweight Static Analysis Tools
Clint Gibler, Daniel DeFreez
ShellCon, San Pedro, CA. October 11th, 2019
abstract slides source code

DevSecOps State of the Union

In these talks, we summarize and aggregate a large number of DevSecOps talks over the past few years across many conferences.

Keynote: DevSecOps State of the Union
Clint Gibler
DevSecCon Tel Aviv, Tel Aviv, Israel. November 5th 2019
abstract slides

DevSecOps State of the Union
Clint Gibler
BSidesSF, San Francisco, CA. March 4th 2019
blog post abstract slides video

(Panel) Lessons Learned from the DevSecOps Trenches

In these talks, Clint moderated a panel of AppSec professionals from different companies who are all experienced in security automation. We discussed lessons learned, best practices, mistakes they’ve made, and more.

Note: some of these presentations were not recorded to allow the panelists to speak more freely.

Lessons Learned from the DevSecOps Trenches
Clint Gibler, Research Director, NCC Group
Zane Lackey, Chief Security Officer, Signal Sciences
Justine Osborne, Offensive Security Technical Lead, Apple
Astha Singhal, AppSec Engineering Manager, Netflix
Doug DePerry, Director of Product Security, Datadog
abstract

Lessons Learned from the DevSecOps Trenches
Clint Gibler, Research Director, NCC Group
Zane Lackey, Chief Security Officer, Signal Sciences
Doug DePerry, Director of Product Security, Datadog
Tash Norris, Head of Product Security, Moonpig
Jesse Endahl, Cofounder and CSO, Fleetsmith
DevSecCon London, London, UK. November 14th, 2019
abstract

Lessons Learned from the DevSecOps Trenches
Clint Gibler, Research Director, NCC Group
Zane Lackey, Chief Security Officer, Signal Sciences
Astha Singhal, AppSec Engineering Manager, Netflix
Hongyi Hu, Engineering Manager, Product Security, Dropbox
Doug DePerry, Director of Product Security, Datadog
Justine Osborne, Offensive Security Technical Lead, Apple
DevSecCon Seattle, Seattle. September 16th, 2019
abstract

Lessons Learned from the DevSecOps Trenches
Clint Gibler, Zane Lackey (Chief Security Office, Signal Sciences), Justine Osborne (Offensive Security Technical Lead, Apple), Kelly Ann (Product Security Engineer, Slack), Julian Berton (Security Engineer, SEEK)
DevSecCon Singapore, Singapore. February 28th, 2019
abstract

Lessons Learned from the DevSecOps Trenches

Clint Gibler, Research Director, NCC Group
Dev Akhawe, Director of Security Engineering, Dropbox
Doug DePerry, Director of Product Security, Datadog
Divya Dwarakanath, Security Engineering Manager, Snap
John Heasman, Deputy CISO, DocuSign
Astha Singhal, AppSec Engineering Manager, Netflix AppSec Cali, Santa Monica, CA. January 25th, 2019
summary abstract video

Empowering Modern Development with Security Automation - Trials and Tribulations from the Trenches
Clint Gibler, Devdatta Akhawe (Director of Security Engineering, Dropbox), Doug DePerry (Director of Product Security, Datadog), Zane Lackey (Chief Security Officer, Signal Sciences), John Heasman (Deputy CISO, DocuSign), Scott Behrens (Senior Application Security Engineer, Netflix)
AppSec USA, San Jose, CA. October 12th, 2018.
abstract

How Leading Companies are Scaling Their Security

In these talks, we focus on practical, actionable security automation pro-tips, based on in-person conversations with AppSec engineers at companies with mature security programs.

There are many talks on DevSecOps mindsets and principles. These talks instead focus on, “OK I’m on board, now what are some specific things I can do?

See the AppSec EU slides and video for the definitive, best version of this work.

N Sec Things You can DevOps in 15 Minutes
Clint Gibler
No Big Thing (NBT), San Francisco, CA. December 1st, 2018.
slides

How Leading Companies are Scaling Their Security
Clint Gibler
AppSec EU, London, UK. July 5th, 2018.
abstract slides video

The SecDevOpronomicon - Arcane Secrets for Scaling your Company’s Security
BSides SF, San Francisco, CA. April 16th, 2018.
abstract slides video

SecDevOps: Current Research and Best Practices
Clint Gibler
Okta REX, San Francisco, CA. March 13th, 2018.

SecDevOps: Current Research and Best Practices
AppSec Cali, Santa Monica, California. January 30th, 2018
abstract slides video

Invited talk: SecDevOps: Current Research and Best Practices
Clint Gibler
Bay Area CISO Council, San Francisco, CA. November, 2017.

Automated Bug Finding in Practice

In these talks, we discuss the strengths, weaknesses and best use cases for leveraging several types of automated bug finding techniques.

Techniques covered include static and dynamic taint analysis, symbolic execution, fuzzing, and combining symbolic execution and fuzzing.

How Can I Find Thee? Let Me Count the Ways - Automated Bug Finding in Practice
Daniel DeFreez, Clint Gibler
CactusCon, Mesa, AZ. September 28th, 2018.
abstract slides

Automated Bug Finding in Practice
Daniel DeFreez, Clint Gibler
ShellCon, San Pedro, CA. September 22nd, 2018.
abstract slides video

Show Me the Data: Analyzing Security Trends Across 100 Companies
Nullcon, Goa, India. March 12th, 2016.
abstract slides

Show Me the Data: Analyzing Security Trends Across 100 Companies
No Big Thing 2 (NBT2), San Francisco, CA. December 5th, 2015.

A quantitative examination of the current state of corporate security practices
Virus Bulletin, Prague, Czech Republic. September 30th, 2015.
abstract slides paper video

Miscellaneous Talks

An Opinionated Guide to Doing Security Research
Clint Gibler
NCC Con, San Diego, CA. January 2018.

We’re From the Red Team, and We’re Here to Help: Infrastructure Tourism Edition
Jessica Solper, Clint Gibler
DeadDrop SF, San Francisco, CA. October 26th, 2017.

Static Analysis Fundamentals, Advantages, and Challenges
Clint Gibler
NCC Con, Las Vegas, NV. January 2017.

Academic Publications

Detecting and Reproducing Error-Code Propagation Bugs in MPI Implementations
Daniel DeFreez, Antara Bhowmick, Ignacio Laguna, and Cindy Rubio-González
To appear in the proceedings of Principles and Practice of Parallel Programming (PPoPP’20), February 22-26, 2020.

Effective Error-Specification Inference via Domain Knowledge Expansion
Daniel DeFreez, Haaken Martinson Baldwin, Cindy Rubio-González, and Aditya V. Thakur
Proceedings of the 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE’19), August 26-30, 2019.
abstract paper

Path-Based Function Embedding and Its Application to Error-Handling Specification Mining
Daniel DeFreez, Aditya V. Thakur, and Cindy Rubio-González
Proceedings of the 26th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE’18), January 4-9, 2018.
abstract paper

Mining error-handling specifications for systems software
Daniel DeFreez
Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, January 4-9, 2018.
abstract paper

A First Look at Firefox OS Security
Daniel DeFreez, Bhargava Shastry, Hao Chen, Jean-Pierre Seifert
Mobile Security Technologies (MoST) Workshop, in conjunction with the IEEE Symposium on Security and Privacy, May 18-21, 2014.
paper

Using and Asking: APIs Used in the Android Market and Asked About in StackOverflow
Daryl Posnett, David Kavaler, Clint Gibler, Hao Chen, Prem Devanbu, and Vladimir Filkov
5th International Conference on Social Informatics (SocInfo), Kyoto, Japan, November 25-27, 2013.
1 of 5 nominated for Best Paper.

AnDarwin: Scalable Detection of Semantically Similar Android Applications
Jonathan Crussell, Clint Gibler, and Hao Chen
18th European Symposium on Research in Computer Security (ESORICS), Egham, U.K., September 9-13, 2013. (18%)

AdRob: Examining the Landscape and Impact of Android Application Plagiarism
Clint Gibler, Ryan Stevens, Jon Crussell, Hao Chen, Hui Zang, and Heesook Choi
Mobile Systems, Applications and Services (MobiSys) 2013

Attack of the Clones: Detecting Cloned Applications on Android Markets
Jon Crussell, Clint Gibler, and Hao Chen
European Symposium on Research in Computer Security (ESORICS) 2012

AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale
Clint Gibler, Jon Crussell, Jeremy Erickson, and Hao Chen
International Conference on Trust and Trustworthy Computing (TRUST) 2012

Investigating User Privacy in Android Ad Libraries
Ryan Stevens, Clint Gibler, Jon Crussell, Jeremy Erickson, and Hao Chen
Workshop on Mobile Security Technologies (MoST) 2012, in conjunction with IEEE S&P