BSides Toronto 2020

Breaking the Habit with Continuous Security
2020-10-17, 11:30–11:50, Twitch

Growth is often a positive indication a business is thriving, which often leads to security complications: increased attack surface, growth in assets, aggressive time to market objectives and new opportunities for security to go wrong.

This talk will provide you with a deep technical insight into how we built a continuous security platform to reduce our attack surface, while keeping the signal to noise ratio as the prime objective, the lessons we learnt, and how you can do it too.

If you are a security practitioner, the chances are pretty high that you have used a traditional vulnerability scanning tool, and you are familiar with how often a CVSS 10.0 vulnerability does not translate to an immediate risk. Traditional vulnerability scanners are useful, however, they only provide point-in-time scans and only detect specific types of issues.

You ran a security scan against your assets in Q1 which resulted in a clean security report, great start! However, what if your attack surface grew by 50% before you had time to scan again the next quarter, or week?

At any scale, and particularly in large ones, automating security detection without false positives is not an easy task. In this talk, you will learn how to work towards accomplishing a continuous scanning state, without spending thousands of dollars on commercial tools.

In cloud environments, vulnerabilities often don't exist for a long period of time, due to the nature of the cloud and continuous deployments. How do you detect a vulnerability when your surface is continuously changing? In this talk, we will show you how we did it.

Dolev Farhi is the Principal Security Engineer at Wealthsimple. Previously, he was the security engineering lead at Paytm, the world’s fastest-growing mobile payment and commerce ecosystem.

Dolev has worked for several security firms, such as CyberArk and F5 Networks, and provided training for official Linux certification tracks. He specializes in Linux/UNIX security, web application security, and offensive security automation. He is the founder of DEFCON Toronto, a popular Toronto-based hacker group and enjoys researching weird IoT devices.