OWASP Meetup - South Bay June 2019

Security time, courtesy of our host Intuit! We will have three exciting talks, lots of people to meet, and great food.

• 6:00 - Doors open
• 6:30-6:40 - Intro/welcome
• 6:40-7:10 - Container Security: Theory & Practice At Netflix (Michael Wardrop)
• 7:15-7:45 - Third-party Ecosystem Security (Rajashree Pimpalkhare)
• 7:50-8:20 - Cloudy with a chance of hax (Brianna Malcolmson)

Talk 1: Container Security: Theory & Practice At Netflix (Michael Wardrop)

Usage of containers has undergone rapid growth at Netflix and it is still accelerating. Our container story started organically with developers downloading Docker and using it to improve their developer experience. The first production workloads were simple batch jobs, pioneering micro-services followed, then status as a first class platform running critical workloads. As the types of workloads changed and their importance increased, the security of our container ecosystem needed to evolve and adapt. This session will cover some security theory, architecture, along with practical considerations, and lessons we learnt along the way.

Bios:
Michael Wardrop is the security champion for the Netflix container ecosystem.

Talk 2: Third-party Ecosystem Security (Rajashree Pimpalkhare)

Intuit supports an ecosystem of 3P applications and developers that aim to solve critical usecases for customers worldwide. Intuit directly offers 650+ apps to our customers and also serves over 7000 apps organically through the open platform. With the recent incidents with other open platform ecosystems such as Facebook and Google, we have increased our focus on 3P ecosystem security. This talk will elaborate further on how we are ensure transparency into data sharing, security of our customer's data and curation of the overall ecosystem.

Bio:
Rajashree leads engineering for the Intuit Developer Group. QuickBooks Online provides the de facto platform of choice for developers building applications for small businesses globally. Rajashree is passionate about to helping build a thriving app ecosystem with these developers that can power prosperity of small businesses worldwide. Rajashree's team is responsible for Intuit’s 3P developer platform and product experiences as well as building world class integrations with strategic partners.

Talk 3: Cloudy with a chance of hax (Brianna Malcolmson)

One of the most difficult things to measure as a red team is effectiveness. People can intuitively understand the benefits of red teaming and the service provided of mitigating unforeseen errors but this is by nature difficult to quantify. The subtleties involved can be somewhat removed from the equation by having a team of trained forecasters estimate the likelihood of certain scenarios and measuring the change in their estimates over time to determine if security posture is improving or deteriorating. I used this method over 1 year at Atlassian to determine if it is a feasible system for deriving red team OKRs. This talk will be about the method I used and how it worked out.

Bio:
Brianna Malcolmson leads the red team at Atlassian. When she isn’t busy preventing opsec fails and orchestrating 5th dimension social engineering schemes, she works on her true passion: creating frameworks that enable security teams to show their orgs the value they bring with objective, quantitative measurements.