Ochaun Marshall
Ochaun Marshall is a Product Security Engineer at Google Cloud. His focus is on Rapid Risk Assessments on Google Cloud products. In his day-to-day, he collaborates with engineers, security operators, and leadership to enable Google Cloud to grow securely. This involves rapidly switching gears from pentesting, vulnerability management, threat modeling, and other security assessments. Everything he does is summed up in I code. I teach. I hack. His previous talks include, “Flex Seal your CI/CD pipeline”, “The OPSEC of Protesting”, and "The last log4j talk you ever need". He has spoken at numerous Bsides and DEF CON. He’ll be presenting for Bsides LV for the first time in 2025.
Session
Product security is an emerging field combining foundations from application security and platform security in a context that matters: delivering offerings in a public cloud. In a world where products evolve from prototypes to planet-scale platforms within months, there is a desperate need for a new approach.
This 40-minute talk reveals Google's product security philosophy, showing you how Google embeds security into every stage of the SDLC, fostering a culture where engineers and security professionals collaborate to build resilient and trustworthy products. I will cover the key principles that underpin Google's novel approach, from threat modeling and secure design to vulnerability management and pentesting. These key principles can be applied in any organization.
In just 40 minutes, you will learn:
* how to use product security to shift from a reactive, "protect the company" mindset to a proactive, "build secure products" approach
* how to build a Universal Risk Register to present risk in the language of engineering
* how to apply focused security assessments to provide better governance over a portfolio of products;
* how to cultivate a healthy security culture through federation and shared fate.
Implementing this approach tackles the most important tasks: finding risk and fixing issues.