Engineering Security Lightning Tech Talks

Note: We must collect your first and last name for security reasons prior to the event. You will also need to sign an NDA when entering the building. page Agenda: 5:30 - Doors open, Food and Networking 6:00 - Security Response and Investigations, Phil Lee 6:10 - Identity & Access Management, Sung Hon Wu 6:20 - Cloud Security, Sonal Desai and Solomon Sia 6:30 - Technical Privacy, Ahmed Ibrahim 6:40 - Hardening, Joseph Macaulay 6:50 - Security Guidance, Jonathan Bushnell 7:00 - Application Security, Aastha Yadav 7:10 - Q&A and Networking

6:00 - Threat detection (Red level) 6:20 - Secrecy team. Identity grants permissions. JIT security credentials (hellishly hard). Constantly look at logs (did some one stash keys there.Is someone hunting. 6:30 - is like driving fast cars... great capabilities...but great responsibilities. Know how can be transferred to other clouds. Means you edn up with adversaries. Wheel boot > breaks. Preventive. Detective. Corrective. Relax by automating. Leverage cloud to secure cloud. Why is logging a top priority for cloud. Because detecting should happen in seconds (sometimes we need to go back years, months, minutes). GCP Stackdriver > instrument it > send it to pub/sub for monitoring. Elk Stack extract log. Push to Hive. Q&A. GCP security command center. It can detect anomalies. We are working toward an AI security pipeline.

6:30 - Technical Privacy > Big Data. The Privacy Engineer's Manifesto. Definition of privacy. Collect and use only the amount of data you have permission for (don't do this). Transparency. Be forthright about who you share data with. Privacy Eng Mission. Uber started 2009. 10 years of data lake.

Tech Stack. - Scale - Resiliency - Correctness - Efficiency - Data Minimization

- Address Anonymization - Privacy Control on App - User Data Export

Account Deletion and Reactivation (30 days). After 30 days delete following correctness every PII.

Q&A. Can't go into any more details. Privacy is in infancy. Collect only what's needed. (e.g. 2007 app change). CC, address each PII element.

6:40 - Hardening, Joseph Macaulay: Ex Fed Gov Dev. Zero Trust Architecture. We don't trust any device. We establish trust on each device. We enforce workload constraints.A big part is endpoint protection. Email security. Vision / Goal keep all the bad stuff out (sometimes false positives).

6:50 - Security Guidance, Jonathan Bushnell. (see What We Do pic). Security reviews: Work cross-functional. (even standards for M&A). Our team scales threat modelling.

7:00 - Application Security, Aastha Yadav. Vulnerability Lifecycle: Discovery. Remediation. Prevention. How to automate security testing. Give specific in ticket exact where and what is vulnerable. 1-click

Regression testing platform vision: - Why? - What? - How? -- Sandboxed envior -- Continous testing -- Automatically change states of tickets