Podcast: Systems Thinking & Security

I had a blast doing this podcast episode with Rohit Sethi where I make the case for taking a "Systems Thinking" based approach for security and discuss its implications on leadership.

More details here

Podcast Link is here.

SCORE Bot @ AppSec USA 2018

This year's AppSec USA was fun. I presented about PayPal's home-grown security product called SCORE Bot (Secure COde REview Bot) along with my team mate, Vidhu.

The abstract is here:

In today’s DevSecOps world, “shift to the left” is not a new mantra for AppSec practitioners. It is imperative to notify developers about potential security issues as early as possible.

While heavy-weight static and dynamic analysis tools and fuzzers exist to find generic technical security flaws, finding custom security issues that are specific to an organization’s proprietary frameworks, APIs, libraries, etc. is often tricky, time-consuming and expensive to capture and maintain as “custom rules” in those tools. IDE plug-ins are often messy to deploy and maintain at scale in the real-world when you are dealing with highly diverse programming languages/frameworks and thus various versions of different IDE products.

Secure COde REview Bot (SCORE Bot) fills that gap and provides real-time, in-context security-oriented code review that focusses on org-specific security issues. It does that by automatically hooking into the GitHub Pull Request (PR) process and posts PR comments with not only the details about the identified security vulnerabilities but also remediation advice so that developers have actionable guidance to fix those security issues.

Driven by insights from behavioral science and experimentation (A/B testing), SCORE Bot became our reliable eyes-and-ears of the code being written at PayPal and a trusted security peer reviewer for our developers.

In this talk, we’ll share the lessons-learned from rolling out SCORE Bot at PayPal with details on what worked, what proved challenging with some real-world metrics from our deployment that scaled to cater to diverse programming languages, frameworks and CI/CD pipelines.

The recording of the talk is here: 

Building Security In: A Tale of Two Stories (RSA 2017)

I spoke @ RSA Conference DevSecOps back in February.

The idea for the talk stemmed from the ton of follow-up questions focussed on one area from my RSA talk last year - automating generation of "security stories" and making them equal citizens to "user stories".

It was a great experience overall coupled with interesting hallway conversations from other AppSec practitioners trying to get upfront security requirements into the hands of their developers.

Here is the video on YouTube:

RSA Conference 2016

I'll be speaking at RSA Conference this year.

If you are attending the conference, please be sure to check out the talk titled "Agile Security—Field of Dreams".

Here is the abstract:

"PayPal started its Waterfall to Agile transformation journey two years ago. That meant that the software security program had to morph as well. The Field of Dreams question of “if you build it, will they come?” was no longer a valid question! Come hear about real-world insights about integrating security into Agile—approaches, processes and tools put in place and the results from them."

Thing Explainer

Just finished reading "Thing Explainer" by Randall Munroe (yes, the xkcd dude!).

One of my favorite topics was "Shape Checker".


"This machine checks whether you have a piece of metal with a certain shape. If you do, it lets go of whatever it’s holding on to. People put these machines on boxes, doors, and cars to try to control who can open or use them.

What’s interesting about these machines isn’t really the machine itself. There are lots of different kinds that work in different ways, but they’re all the same in one way: They try to put people into groups.

By checking whether someone has a piece of metal that’s the right shape, this machine is really a way to try to tell whether people are who they say they are. It’s an idea—about which people should be allowed to do something—brought to life in metal."

BayThreat 4

I'll be speaking at BayThreat 4 tomorrow. If you managed to grab the tickets (it is all sold out now), please stop by at 10:30 AM ("Building Security" track).

This is basically an action-oriented quickfire version of the talk that I did earlier this year at the MS SDL Conference.

Two-Step Verification on LinkedIn

Following Microsoft, Apple, Evernote and others, LinkedIn has now enabled two-step verification.

Their iOS mobile app experience could be better (for now: you have to login with your password, get the one-time sms code, then concatenate it with your password for you to complete your login) . I'm sure future updates to the app will fix that...

Good to see multi-factor authentication take off in a big way. I hope that FIDO gains good adoption in the months and years to follow ...

Security Development Conference 2013

If you are attending the Security Development Conference next week, please be sure to check out the talk titled "Tales from the Trenches: Rollout of Static Analysis Tools for Large Enterprises".

My colleague, Rick Marvin and I will be the co-speakers at this talk. While security relies on multiple practices of SDL, we mostly focus on one practice: Static Analysis. From real-life experience, we discuss what worked, what proved challenging and provide actionable rollout tips for security practitioners.

RFC6797 - HTTP Strict Transport Security

What if there was no such thing as a "hostile" network? You could either connect "securely" or not connect at all...

Well, RFC6797 is one baby-step in that direction. Congrats to =JeffH and the co-authors on successful publication of this RFC.

IEEE Security & Privacy | Static Analysis in Motion

I had the opportunity to participate in a roundtable discussion on static analysis tools, for the IEEE Security and Privacy magazine. The roundtable was organized by Brian Chess, the founder of Fortify software. Bill Pugh, Kris Britton, Chris Eng, Jacob West and myself took part in the discussion. A partial transcript of the discussion appeared in the current edition of the magazine.

Here is an excerpt of the article.

To read the entire article, please visit www.computer.org/security and subscribe/purchase the magazine.

Note: This article is Copyright IEEE and was originally published in IEEE Security &
Privacy magazine, Vol. 10, No. 3, 2012, pp. 53-56.