An Opinionated Guide to Scaling Your Company's Security
I spent 100s (1000s?) of hours over the past few years studying how companies have scaled their security.
This talk distills the big, scalable, systematic wins that measurably improve a company’s security posture, aggregated from dozens of conference talks, blog posts, and in person conversations I’ve had with security engineers at tens of companies.
What I Learned Watching All 44 AppSec Cali 2019 Talks
Detailed summaries of ~32 hours of talks, searchable and grouped by category, to supercharge your security program 🚀
Lessons Learned from the DevSecOps Trenches
Clint moderated a panel of AppSec professionals experienced in security automation discussing their lessons learned, best practices, mistakes they’ve made, and more. Panel members included senior security leaders from Dropbox, Netflix, Datadog, DocuSign, and Snap.
Rolling Your Own: How to Write Custom, Lightweight Static Analysis Tools
We describe how to use open source tools to create custom checks for interesting code patterns, for example, to detect bugs or anti-patterns.
We also show how abstract syntax tree (AST) matching can be used to iteratively explore Rails code bases as well as find command injection bugs in ExpressJS web apps across all of GitHub.
Automated Bug Finding in Practice
A nice introduction and overview of automated bug finding techniques, covering the strengths, weaknesses and best use cases for leveraging several approaches. We discuss static and dynamic taint analysis, symbolic execution, fuzzing, and combining symbolic execution and fuzzing.
Clint is the CEO and co-founder of tl;dr sec. By day, Clint is the Head of Security Research at r2c, a San Francisco-based startup building Semgrep, an open source, light-weight static analysis tool built for modern development practices.
Before r2c, Clint was a Technical Director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He’s helped companies implement security automation and DevSecOps best practices as well as performed penetration tests for companies ranging from large enterprises to new startups.
Clint has previously spoken at conferences including BlackHat USA, AppSec USA, and AppSec EU. Clint holds a Ph.D. in Computer Science from the University of California, Davis.
Daniel is the Chief Scientist and co-founder of tl;dr sec. By day, Daniel is an Assistant Professor of Computer Science at Southern Oregon University. His research interests are in program analysis, security, and machine learning on code. He has built automated tools that have found bugs in the Linux kernel and OpenSSL.
Daniel holds a Ph.D. in Computer Science from the University of California, Davis.
We believe that security professionals have a moral obligation to build systems that are safe by default, respect privacy by default, and cannot be used for surveillance or censorship.
We share our research publicly, because that’s the best way for the industry to move forward. Together.
We believe that security tools can be fast, intuitive to use, and make intelligent security professionals vastly more productive.
We believe that security tools should be accessible to a broad audience, not prohibitively expensive, and should be designed with extensibility and customizability in mind.
Finally, we find joy in understanding the core of how and why things work, prototyping whacky tool ideas simply because we can, and doing our best to leave a positive mark on the world.
Keep in Touch
We write about:
- Application security, scaling security and DevSecOps.
- Automated bug finding (static and dynamic analysis, fuzzing, etc.)
- Summaries of current security research, from industry and academic conferences.
- Evaluating open source and commercial security tools - tips and tricks on using them, how they work, and potential gotchas.
- How to build your own custom security tools.
Enter your email below and we’ll let you know when we publish something new.
You can read our prior newsletters here.