An Evening with OWASP at Facebook Seattle
Hosted by The OWASP Seattle Chapter
Details
Thank you to Facebook for hosting us and speaking about their appsec program!
Please register at the eventbrite link with an accurate name and email for building access/badgeing to match ID. There is a site NDA.
https://www.eventbrite.com/e/an-evening-with-owasp-at-facebook-tickets-77351627801
---
Zoncolan
Francesco Logozzo, Software Engineer
https://www.linkedin.com/in/francesco-logozzo-4106386/
Facebook’s web codebase currently contains more than 100 million lines of Hack (https://hacklang.org/) code. The code changes thousands of times per day. No one has enough security engineers to review all this code. To keep up, we have focused on building systems that help our security engineers scale to become tens or hundreds of times more effective than they would be on their own.
The talk will go into detail on one of our systems, called Zoncolan, and the process we followed to build “static analysis for security professionals, by security professionals.”
See also blog
https://engineering.fb.com/security/zoncolan/
and Wired article
https://www.wired.com/story/facebook-zoncolan-static-analysis-tool/
Zoncolan helps security engineers scale their work by using static analysis to automatically examine our code and detect potentially dangerous security or privacy issues. We started building Zoncolan by bringing together static analysis experts and security engineers to review reports of past security vulnerabilities, including bug reports, root causes, and corresponding code fixes. We have since built extensive infrastructure for running Zoncolan, tracking the results, and providing access to those results in context.
Zoncolan has demonstrated a high signal-to-noise ratio, speed, extensibility, and a low rate of false negatives. It achieves this by focusing on issue classes that lend itself well to static analysis. Unlike previous methods, Zoncolan provides new static analysis algorithms (a non-uniform, modular, compositional, and parallel abstract interpretation) that enable to fine tune the accuracy/cost ratio of the analysis. In 2018, Zoncolan resulted in more than 1,100 security issues that required immediate action.
--
Strategic code reviews
Nathan Starr, Technical Program Manager
https://www.linkedin.com/in/ntstarr/
Security reviews are one of the tools in a Product Security teams toolbelt to validate the design and implementation of products their organization ships. At Facebook, we perform hundreds of security reviews each year on well-scoped features across all of our product areas and tech stacks. Occasionally, we an encounter a company initiative where a singular security review will not suffice. In these instances we rely on a strategic review. A strategic review is a prolonged engagement where a security engineer performs an amalgamation of security reviews centered around a large initiative in the organization. Strategic reviews can either be, depth based, where the review goes on a singular product, or breadth based, where the review covers a single paradigm across multiple products. We will share how and why we've chosen to do strategic reviews and some of our success stories and lessons learned along the way.
--
So Your Company Bought a Company - A Crash Course on Acquisitions Security
Aaron Brown
https://www.linkedin.com/in/aaron-brown-31529910
In this talk I'll cover threats, pitfalls, and best practices for security practitioners during company acquisition and integration. I will talk about what to look out for during pre-acquisition due diligence and how to manage onboarding and integrating an entire new company all at once. I'll include practical tips for assessing security maturity, best practices for different kinds of integrations, and a rundown of what to watch out for through out the process of securing a newly acquired subsidiary.
This talk assumes no prior M&A knowledge or experience
