Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Dec 3, 2015
YES, YOU CAN WALK ON WATER: APPLICATION & PRODUCT SECURITY ON A STARTUP BUDGET Brian Knopf @DoYouQA
BIO: Brian Knopf has 20 years of experience in IT, dev, QA/QE, & security. He has led QA, automation, security, and development teams for companies including Belkin, Linksys, Rapid7, MySpace, Youbet.com, eUniverse, and VeriTest. Currently Brian is the Principal Security Advisor & Researcher at Wink Inc. There he is responsible for SDL, PSIRT, security research, pentesting, training, bug bounty and researcher programs, and threat modeling for Wink products and partner integrations.
ABSTRACT: Using small or almost non-existent budgets as an excuse for not running application and product security programs is not acceptable. The rapid growth of low margin IoT devices from startups changed the way security teams have to operate. Instead, learned to leverage external researchers by incentivising them with free products, thanking and embracing researchers for their help, and promising transparency into our direction and enhancements, with the goal of secure consumer devices for everyone.
This talk will walk through the creation of two successful application and product security teams built in organizations without many resources or large budgets. Those programs included regular threat modeling, bug bounty programs, proactive engagement with researchers, security analytics monitoring, and vuln research. Even with the budgetary and staffing constraints, the teams were able to deliver increasingly more secure products that continue to push the boundaries of consumer device security in a market where consumers refuse to pay more for the cost of securing them. This discussion is not about the companies themselves, but instead as a model any startup company can adopt to deliver solid products, rather than using excuses to defer action.
REASON: Without the resources internally to find major vulns, we were able to identify a critical vuln from a researcher on the bug bounty that had the ability to greatly affect all customers homes. It was patched within 24-hours. That is a perfect example of why this program is critical to the security and privacy of consumers and why every IoT manufacturer should follow this program. There were multiple other vulns discovered with the program that also make the same point.