I recently presented a talk at DevSecCon Singapore, DevOps Talks Conference and at a joint security Meetup on some of the security highlights and lessons learn’t from the last 4 years at SEEK.
Talk description
Preventing a company from becoming the newest data breach statistic can be a daunting prospect. Especially working within a company that employs hundreds of engineers pushing code to production daily, it often feels like everything is on fire and the holy grail of producing a security inspired product is but a dim light growing further and further away. The same feeling is true for security aware engineers being pushed to develop products quickly but also expected to consider quality assurance, operations, security and the reliability of their application or service.
To help reduce the bleeding and build more security aware applications at scale, a balance of firefighting, preventative initiatives, automation and «JIT» education is required. So strap yourself in while we take you on a journey through 4 years of security successes and epic failures:
- «JIT» Education — Changing a companies security culture with RFC’s for security standards, security integrated PIR via bug bounty program reports, visibility through security maturity frameworks (BSIMM).
- Automation — Implementing a secure-by-default build system (Buildkite) that makes detecting vulnerable dependencies (Snyk), storing secrets (AWS Secrets Manager) and scanning Docker containers, an effortless process.
- Prevention — Eradicate several classes of bugs by selecting secure architectural patterns and using automated scripts to detect operational misconfigurations like dangling DNS entries, open S3 buckets, secrets checked into source code and repositories that have been made accidentally public.