OWASP Meetup - SF March 2019

It's time for more security in the city, courtesy of our host Slack. There will be three talks, food/drinks, and great people to meet.

• 6:30 - Doors open
• 6:50-7:00 - Intro/welcome
• 7:00-7:30 - Securing Autonomous Robots @ Scale (Talha Tariq)
• 7:35-8:05 - 0 to 1: Startup Security (Coleen Coolidge)
• 8:10-8:40 - Locking Down Slack Image Processing (Nik Kinkel)
• 8:40-9:00 - Networking

Talk 1: Securing Autonomous Robots @ Scale (Talha Tariq)

In this talk we will talk about our journey to secure our robots at scale. This talk will help a spectrum of different audiences including developers, testers, consumers, manufacturers to understand the threats to their products and guide developers, product builders towards building security from the start. We will talk about software, applications, operating system, hardware and supply chain security challenges as well as our strategy to mitigate threats from ground up. We will also talk about some emerging and upcoming threats as it pertains to complex sensors, and autonomous systems that make decisions based on ML / AI algorithms. Finally we'll touch on some differential privacy work we have done to improve privacy of our customer data.

Bio:
Talha Tariq is the CISO at Anki, a consumer robotics and AI company where he leads security and privacy engineering efforts. He has 15 years of experience building and scaling security programs from startups to large Fortune 100 organizations. Previously he was CISO for FinancialForce, Director of Security Consulting at PwC, and has held various security engineering and leadership positions at Microsoft and NCR. He has broad security and privacy engineering experience and patents building trusted platforms for cloud and IoT devices. Talha holds a BS in Computer Science & MS in Information Security from Royal Holloway, University of London.

Talk 2: 0 to 1: Startup Security (Coleen Coolidge)

This is a talk for the one Security person working at a startup who wants to build a legitimate security and trust practice, essentially taking your startup's security from 0 to 1.

If you've never led this successfully before, you may benefit from a new way of thinking about security, so you can understand how to assemble and evolve all the pieces.

Bio:
Coleen Coolidge is Head of Security at Segment in San Francisco, where she is building holistic security programs and teams from scratch to protect customer data. Previously, she did the same at Twilio (pre-IPO and post-IPO) as Sr Director of Trust and Security. She's also served in security-leadership positions at more traditional, enterprise companies like First American Title and CoreLogic in Southern California. Coleen's goal is to advance the security culture past “just having some infrastructure people do it” to creating a comprehensive program where everyone in the company takes ownership and improves the company’s security posture every year.

Talk 3: Locking Down Slack Image Processing (Nik Kinkel)

Image uploads are a core Slack feature, but image processing hasn’t always been a core Slack focus. There’s nothing like posting that perfect reaction GIF, but from directory traversal, to arbitrary file overwrites, to ImageTragick, there’s a whole lot that can go wrong on the backend. This talk will explore the history of image uploads at Slack and describe how we built a system to isolate production data and infrastructure from the woes of image processing.

Bio:

Nik is a Security Engineer on the Product Security Foundations team at Slack, where he writes code to keep Slack safe. Nik works on secure-by-default libraries and frameworks, builds internal services to harden Slack’s production infrastructure, and works with development teams early in the product lifecycle to integrate security principles into core feature design. Before joining Slack, Nik was a Security Engineer on NCC Group’s Cryptography Services team.