Lisi Hocke
Lisi found tech as her place to be in 2009 and has grown as a specialized generalist ever since. Building great products that deliver value together with great people motivates her and lets her thrive. As a security engineer, she’s now fully focusing on all things product security to help build more secure solutions. She's committed to testing and quality, passionate about whole-team approaches to increase effectiveness and resilience, and enjoys experimenting and learning continuously. Having received a lot from communities, Lisi is paying it forward by sharing her stories and learning in public. She posts on Mastodon as @lisihocke@mastodon.social and blogs at www.lisihocke.com. In her free time, she plays indoor volleyball or delves into computer games and stories of all kinds.
Sessions
Building valuable solutions is a complex endeavor that requires a breadth of knowledge. That not being enough, we’re also getting asked to build secure solutions in a secure way - yet what does that even mean? How do we incorporate such a vast area of expertise into our everyday workflows?
In this hands-on workshop, I will introduce you to core security concepts, like the CIA triad or defense in depth - and how we can apply them in everyday work. Based on a practical example, we will go through the development lifecycle with security in mind. You will learn about threat modeling to uncover risks early on, secure coding principles to bake security in, security testing approaches to make informed decisions depending on your risk appetite, and ways of detecting potentially malicious activity to protect against. Interactive exercises at each step will let you experience how security can neatly fit with what you’re already doing without adding artificial gates.
Whether you want to keep your system secure or get a neglected one back in shape, this session is for you. Join us to gain fundamental security knowledge, hone your security skills, and get tactical advice to secure your development lifecycle. Let’s make things a bit more secure than yesterday every day!
“We requested a review from security a month ago and there’s no feedback.” Does this sound familiar to you? Maybe you’ve heard that your security team is occupied with other tasks that are “higher priority” and your product is just not. “Nothing we can do, security is an expert’s job.” Or maybe you simply don’t have any dedicated security team in your company. So, your hands are bound and you can’t do anything anyways, right?
What if you could, though? What if you could do a lot more than you might think to make your software more secure? What if you could save time and effort by taking security into your own hands?
In this talk, we’ll go through several activities that you might already do right now, and demonstrate how you can shape these to improve your product’s security posture. Let’s take a few examples: when you’re analyzing the next product changes, you can use threat modeling to also consider potential security issues and hence plan their implementation with security in mind. Collaborating across roles on developing the changes can help you detect security flaws before they make it to production. Investing in maintenance and reducing technical debt will at the same time make your product a less attractive target. When observing production, you can spot malicious actors probing your system enabling you to respond before harm is done.
If you apply good software development practices, they help you make your product more secure, and good security practices help you make software that provides more value and less harm. With and without an expert at hand.
Key learnings:
- Stop waiting for dedicated security experts and start acting yourself
- Understand how good software development practices support security practices and vice versa
- Gain insights on what an engineering team can do themselves to build secure enough products
- Learn how to use this newly found leverage of benefits on all sides when prioritizing which changes and activities to invest in