2025-08-05 –, Florentine E
Product security is an emerging field combining foundations from application security and platform security in a context that matters: delivering offerings in a public cloud. In a world where products evolve from prototypes to planet-scale platforms within months, there is a desperate need for a new approach.
This 40-minute talk reveals Google's product security philosophy, showing you how Google embeds security into every stage of the SDLC, fostering a culture where engineers and security professionals collaborate to build resilient and trustworthy products. I will cover the key principles that underpin Google's novel approach, from threat modeling and secure design to vulnerability management and pentesting. These key principles can be applied in any organization.
In just 40 minutes, you will learn:
* how to use product security to shift from a reactive, "protect the company" mindset to a proactive, "build secure products" approach
* how to build a Universal Risk Register to present risk in the language of engineering
* how to apply focused security assessments to provide better governance over a portfolio of products;
* how to cultivate a healthy security culture through federation and shared fate.
Implementing this approach tackles the most important tasks: finding risk and fixing issues.
This is the presentation I wish I could have given to myself when I was a starting AppSec professional. Product Security is a larger domain and discipline in the universe of InfoSec. It spans everything from an http request to silicon hardware. It enumerates every multidimensional aspect of the product, through all phases of that product's lifespan.
There is the traditional SDLC here (design, planning, implementation, etc.) There is also an evolution from an experimental prototype, to productization, and then platformization. The secondary phase of productization is bringing the product or feature online, to Google's standards. That last phase is integration and optimization within an ecosystem of capabilities. A platform at this scale is an ecology of products, systems and teams. Google has a mass of technical infrastructure that it has been developing for a quarter of a century. There are powerful principles defining how to build well.
Focus on the user right? In Cloud, the user could be a founder setting up a workspace account on a brand new domain, a 500,000 person corporate conglomerate, a small non profit, or a government agency. It has to work all of the above. Beyond shared responsibility, this is about shared fate.
I have presented at many security conferences, numerous B sides and DEF CON. I am ready to share the many new lessons in this evolving discipline.
Ochaun Marshall is a Product Security Engineer at Google Cloud. His focus is on Rapid Risk Assessments on Google Cloud products. In his day-to-day, he collaborates with engineers, security operators, and leadership to enable Google Cloud to grow securely. This involves rapidly switching gears from pentesting, vulnerability management, threat modeling, and other security assessments. Everything he does is summed up in I code. I teach. I hack. His previous talks include, “Flex Seal your CI/CD pipeline”, “The OPSEC of Protesting”, and "The last log4j talk you ever need". He has spoken at numerous Bsides and DEF CON. He’ll be presenting for Bsides LV for the first time in 2025.