Presentation: Security Champions: Only YOU Can Prevent File Forgery

Track: Security: Red XOR Blue Team

Location: Westminster, 4th flr.

Duration: 4:10pm - 5:00pm

Day of week: Monday

Level: Intermediate

Share this on:

What You’ll Learn

  1. Hear about Security Champions, what they are and what they are useful for.
  2. Learn how to become a Security Champion for your team.
  3. Find out how to apply specific security training to developers in major programming languages.

Abstract

As a Developer, there will come a time when you realize that you have the power to not only ship awesome features, but also protect them so that no one else can tamper with all your hard work. Every Developer is responsible for coding securely, but there are a brave few among us that will take this power one step further by wearing the mantle of a Security Champion.

This talk will be your guide to becoming the Security Champion you always wanted to be, in just 5 easy steps. We’ll also talk about what benefits you get out of it, besides saving the world, and what to do if your company doesn’t have a Security Champions program or even a Product Security program.

Question: 

What is the focus of the work that you do today?

Answer: 

Right now I'm working at Synopsis on a team called Product Security, and the focus of our work is to increase the amount of security activities that the engineering team is doing for our products. Our goal is to make the most secure product possible and to increase the security mindset of our employees in the engineering department for the products that we have.

Question: 

Tell me about your talk.

Answer: 

One of the aspects that I work on is a program called Security Champions. It's a really exciting way for people outside of their Product Security team to get involved and be I think more interesting parts of security which is the actual developing code in a secure way. For this program we have nominated one security champion per product and that person goes through a process of training with me to become the advocate for security in their organization. Through that process it's a great way for this individual to get more skills enhancement and security and become more of a key player in the product development. As the security team introduces more security requirements into the product development lifecycle that person becomes a key player in helping to execute on those security requirements and becomes more of a champion and an advocate on their team to help the product team get through those security requirements successfully so that there's no delay on release, that there isn't any freeze security vulnerability remediation that needs to happen.

That's why we call it Security Champion because at the end of the release you could be the person that is the champion for the team that stops the security team from having to delay the release.

Question: 

It flips the adversarial relationship and makes it into a a member of the team.

Answer: 

Yes, exactly. It's a partnership and we're really excited to show a security champion what is happening on our side of the fence and show them what we have to deal with and what our requirements are. On the flip side they get to show us what the business requirements are and what they're being pushed to do as far as features and releases and deadlines, and it creates a much more sympathetic relationship.

Question: 

What's the focus of the talk?

Answer: 

The audience that I envision is developers, somebody that is senior enough to be able to speak to how changes in features and requirements affect change in the product. I am hoping to convince people to become security champions, and take the advice and the process that I've created and take it into your team as a developer and become a security champion. I'll talk about either how to request that a Security Champion's program is built among your security team, or if your company doesn't have the security team to support a Security Champion's program, how you can be like an army of one in your organization without the support of the security team. I'll give you the step by step guide for what you should be looking out for to be that security champion even without the support.

Question: 

So, coming to your talk I'll learn a step by step guide to becoming a security champion, and what are the benefits of having security champions. Any other major takeaways?

Answer: 

 I'll also talk about specific training. For example, Java is a very popular secure coding training in our organization. There are a couple of popular languages that have some good training, so you could hit the ground running to becoming a champion.

Speaker: Marisa Fagan

Product Security Lead @Synopsys

Marisa Fagan is the Product Security Lead at Synopsys in SF, US. She works on building security into every phase of the SDLC and empowering developers to not need her. Previously in her career, she has worked as a security culture expert at places like Salesforce, Facebook, Bugcrowd, and Errata Security. She builds communities in the Information Security industry around security research and vulnerability disclosures, and is the co-founder of several conferences and organizations. Mrs. Fagan has been a presenter at Black Hat Trainings, DEF CON, Summercon, SecTor, B-Sides, and CactusCon.

Find Marisa Fagan at

Similar Talks

Tracks