Now Matters. That is the theme for this year’s RSA conference.
Now matters, because it drives what’s next. Technology, the pace of development and the sophistication of attackers are better than ever. The average time from disclosure of known vulnerability to publicly available working exploit has dropped from 45 days in 2011 to 3 days in 2017. As an industry, we don’t celebrate success; instead we constantly worry about failure. They suggested that we should not neglect the little things in security as the aggregation of marginal gains can make a huge difference. They talk about how culture matters and that 70% of people view security as a nag, and someone who always says “no”. We need to focus on securing the developer experience too and that is only way to really shift left. They also said that playbooks are good, but they crack under pressure; and nobody learns how to swim by watching YouTube. So we need to do drills, or cyber ranges to sharpen our response capabilities. Also we need more open collaboration between organisations to supercharge our threat intelligence and interactions to get us ahead of tomorrow’s threat, today.
I also attended a learning lab on using the VERIS framework for describing and recording an incident. It was a hands on workshop and we got to create an incident response strategy for some simulated scenarios. The scenario I worked on was an cloud hosted ecommerce site whose site was compromised and the initial payment page is fake.
I did a talk at the conference for the DevSecOps Seminar. My talk was titled “An Iterative Approach to Smashing Security Bugs”. It was a talk on Tyro’s security journey in dealing with known security vulnerabilities and how we went about reducing them in our applications and also preventing them from being introduced. I was told that 114 people attended the seminar.
I also had the pleasure to join Mark Miller and DJ Schleen’s talk which is titled “We are all Equifax: Lessons (Not Learned)”. Mark was the main person driving the presentation with DJ and myself sharing our opinions and thoughts on the data that’s being presented. It was my first time seeing most of the slides and I felt it akin to being on the Hot Seat. You have to think fast and yet think through what you want to say before speaking. I enjoyed it though as it really got my outside my comfort zone.
One of the most valuable part of the conference was the networking. The conversations with other speakers and attendees is where I get to bounce ideas and hear what other organisations are doing to solve similar issues. I found DJ’s approach of using KPIs to measure number of defect vs lines of code quite interesting. Stefan’s talk about the importance of developer experience really resonated with me as something we hold with great importance at Tyro. I found the stats in the Oracle report quite interesting, that 85% of people surveyed cite that more than half of the data that is stored on cloud servers to be sensitive. Also I learned through a contact that they are constantly dealing, on a weekly basis, with PII being accidentally leaked into their log server.
Below are some photos from the event.