Presentation: How to Backdoor Invulnerable Code



11:50am - 12:40pm

Day of week:



Key Takeaways

  • Understand what happens when you have a secure product built by insecure systems run by insecure humans
  • Learn that a security product is more than just the coded features
  • Focus on how to improve the state of security of a company


It is easy to think that securing a product relies on writing code without vulnerabilities and it's true that this is a very important aspect, but a secure product relies on more than just the code written. To an attacker every aspect involved in the development process, from the human element to the build pipeline, is fair game. In this talk we'll take a candid look at the real tactics, with examples, used to compromise and backdoor seemingly secure products by exploiting the humans and systems that create them.


What is the focus of your work today?

I run an offensive security team that consists of red team penetration testing and zero day research. I am focused on improving the state of security for my company through high impact adversarial simulations (Red Team penetration testing), shifting the paradigm of security assessments from rubber stamping towards realistic truth finding engagements, and building the best internal offensive security team in the private sector.

What’s the motivation for your talk?

I have seen the pressure to build products quickly trump the intention to build products resiliently time and time again. When I see products being built securely, this normally means the actual code base creates a product that doesn’t have low hanging security flaws. Almost every time I encounter something like this the underlying process, humans, and systems that build, write, and store this code are woefully insecure. I want to share the lessons i’ve learned and teach developers that a secure product is more than just the coded security features, but every aspect that goes into the process.

How you you describe the persona of the target audience of this talk?

I think my talk will be entertaining to anyone. Tales of social engineering are stories grounded around human interaction and anyone can relate to that. The more technical stuff requires some familiarity of the technology stack used to put together code.

How would you rate the level of this talk?

I suppose, it’s a triple A+ Diamond Level Talk on the scale I made up just now. It has high level explanations and low level technical examples.

QCon targets advanced architects and sr development leads, what do you feel will be the actionable that type of persona will walk away from your talk with?

Hacking and cyber and a bunch of scary stories are in the news everyday now. I feel like the senior leaders in the development community could walk away with a more holistic view of security then subsequently architect and lead development projects that are more prepared to deal with the risks that they will face.

What do you feel is the most disruptive tech in IT right now?

Corporate Politics.

Speaker: Josh Schwartz

Director of Offensive Security @Salesforce

Josh Schwartz is a computer that knows how to computer. He leads the Red Team at Salesforce conducting high impact offensive security engagements and frequently creates propaganda memes.

Find Josh Schwartz at

Similar Talks

Principal Technologist for Cloud Foundry
CTO who understands the science around helping people do their best
Senior Software Engineer @IBM, Committer on Apache Aries
Distributed Systems Engineer Working on Cache @Twitter


Conference for Professional Software Developers