際際滷

際際滷Share a Scribd company logo

Building a Security Program at Grammarly - XP Days 2019

D
Dmitry Tiagulskyi

You are a software developer or engineering leader in a typical internet product or service company. You have web, mobile, or native apps for different platforms, and your backends run in the cloud. You embrace test-driven development, rapid iterations, infrastructure as code, continuous delivery, and monitoring. But what about security? Someday your users, your clients, or your CEO will ask this question. Maybe there is another breach in the news. Or someone has sent you a vulnerability report to security@yourcompany.com. Waitdo you even have security@yourcompany.com mailbox? In a big enterprise, someone takes care of security for you. In a growing product internet company, you must implement it from scratch. In this talk, Ill show how to begin focusing on practical things that worked for us at Grammarly. We will talk about: How much security is enough? When to build a security team and how to establish roles and structure. Working with external consulting and penetration testers. How to launch a bug bounty program and make the most of it. How a security team interacts with development teams in a non-blocking way. What if your DevOps (or NoOps) teams release features and experiments multiple times per day? Infrastructure, tools, monitoring, and automation for DevSecOps.

1 of 73
Building a Security Program at Grammarly Dima Tiagulskyi - Software Engineer, Security Team
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Building a Security Program at Grammarly - XP Days 2019
Thank you! dima.tiagulskyi@grammarly.com
Early Life https://twitter.com/badthingsdaily https://enterprise.verizon.com/resources/reports/dbir/ https://krebsonsecurity.com/ https://www.loopio.com/blog/respond-security-questionnaires-3 Bug Bounty https://danielmiessler.com/study/security-assessment-types/ https://hackerone.com/grammarly https://www.bugcrowd.com/ https://hackerone.com/dropbox https://securitytxt.org/ References
References Jurassic CorpSec Building Identity for an Open Perimeter https://www.gartner.com/reviews/market/access-management https://support.1password.com/create-share-vaults/ https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/ Protecting Endpoints https://www.jamf.com/ https://en.wikipedia.org/wiki/Endpoint_Detection_and_Response Configure an external recipient warning Security Team https://about.gitlab.com/handbook/engineering/security/#security-department https://www.owasp.org/index.php/OWASP_SAMM_Project https://www.cisecurity.org/controls/cis-controls-list/
Incident Detection and Response https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.html https://www.dmtf.org/standards/cadf https://aws.amazon.com/products/security/ https://www.sumologic.com/security/ https://www.cisecurity.org/cis-benchmarks/ Infrastructure https://aws.amazon.com/organizations/ https://aws.amazon.com/controltower/ https://aws.amazon.com/blogs/compute/refreshing-an-amazon-ecs-container-instance-cluster-with-a-new-ami/ Abuse Research and Infrastructure https://www.troyhunt.com/ https://elie.net/ References
Security Culture https://www.owasp.org/index.php/Security_Champions_Playbook https://www.amazon.com/Securing-DevOps-Security-Julien-Vehent/dp/1617294136 https://www.amazon.com/Agile-Application-Security-Enabling-Continuous/dp/1491938846 OWASP https://www.owasp.org/index.php/OWASP_SAMM_Project https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://cheatsheetseries.owasp.org/ Integrating Security in Development https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://report-uri.com/ https://web.dev/samesite-cookies-explained/ https://www.chromium.org/updates/same-site https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis.html References

More Related Content

Building a Security Program at Grammarly - XP Days 2019

  • 1. Building a Security Program at Grammarly Dima Tiagulskyi - Software Engineer, Security Team
  • 70. Early Life https://twitter.com/badthingsdaily https://enterprise.verizon.com/resources/reports/dbir/ https://krebsonsecurity.com/ https://www.loopio.com/blog/respond-security-questionnaires-3 Bug Bounty https://danielmiessler.com/study/security-assessment-types/ https://hackerone.com/grammarly https://www.bugcrowd.com/ https://hackerone.com/dropbox https://securitytxt.org/ References
  • 71. References Jurassic CorpSec Building Identity for an Open Perimeter https://www.gartner.com/reviews/market/access-management https://support.1password.com/create-share-vaults/ https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/ Protecting Endpoints https://www.jamf.com/ https://en.wikipedia.org/wiki/Endpoint_Detection_and_Response Configure an external recipient warning Security Team https://about.gitlab.com/handbook/engineering/security/#security-department https://www.owasp.org/index.php/OWASP_SAMM_Project https://www.cisecurity.org/controls/cis-controls-list/
  • 72. Incident Detection and Response https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.html https://www.dmtf.org/standards/cadf https://aws.amazon.com/products/security/ https://www.sumologic.com/security/ https://www.cisecurity.org/cis-benchmarks/ Infrastructure https://aws.amazon.com/organizations/ https://aws.amazon.com/controltower/ https://aws.amazon.com/blogs/compute/refreshing-an-amazon-ecs-container-instance-cluster-with-a-new-ami/ Abuse Research and Infrastructure https://www.troyhunt.com/ https://elie.net/ References
  • 73. Security Culture https://www.owasp.org/index.php/Security_Champions_Playbook https://www.amazon.com/Securing-DevOps-Security-Julien-Vehent/dp/1617294136 https://www.amazon.com/Agile-Application-Security-Enabling-Continuous/dp/1491938846 OWASP https://www.owasp.org/index.php/OWASP_SAMM_Project https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://cheatsheetseries.owasp.org/ Integrating Security in Development https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://report-uri.com/ https://web.dev/samesite-cookies-explained/ https://www.chromium.org/updates/same-site https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis.html References