“Process” is often seen as a antithetical to the fast-moving nature of startups; security processes, in particular, can be regarded as a direct impediment to shipping cool features. On the other hand, the security of an organization and its users shouldn’t be disregarded for

the sake of speed. Striking a balance between security and nimble development is a vital aspect of a security (in particular, application security) team. At Slack, we have implemented a secure development process which has both accelerated development and allowed us to scale our small team to cover the features of a rapidly growing engineering organization.




In this presentation we will discuss both our Secure Development Lifecycle (SDL) process and tooling, as well as view metrics and provide analysis of how the process has worked thus far. We intend to open-source our tooling as a supplement to this presentation, and offer advice for others wishing to attempt similar implementations. We'll discuss our deployment of a flexible framework for security reviews, including a lightweight self-service assessment tool, a checklist generator, and most importantly a chat-based process that meets people where they are already working. We’ll show how it’s possible to encourage a security mindset among developers, while avoiding an adversarial relationship. By tracking data from multiple sources, we can also view the quantified success of such an approach and show how it can be applied in other organizations.


Speakers

Max Feldman
Slack, Inc
Max Feldman works on the Product Security team at Slack, where he works on the bug bounty and security assessments of Slack features, as well as the development of security tools and automation. He was previously a member of the Product Security team at Salesforce.


Zachary Pritchard
Security Engineer, Slack

Fikrie Yunaz
Slack, inc

Fikrie Yunaz is a Product Security Engineer at Slack. He is a security enthusiast and loves breaking web applications. He specializes in the areas of application security and security test automation. He was previously a Security Engineer at Oracle.


-

Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...