Loading…
SnykCon 2020 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Wednesday, October 21
 

14:20 BST

The Developer Desktop - Part 1 - Open Source
The developer experience (IDE, CLI, OS Advisor) planning, validating, and fixing third party dependencies.

Speakers
avatar for Agata Krajewska

Agata Krajewska

Software Engineer, Snyk


Wednesday October 21, 2020 14:20 - 14:40 BST

14:20 BST

Beyond the Devops Handbook - What about devsecops?
It's been five years since the devops Handbook came out. There were some hints of devsecops. In this panel we'll discuss how devops has evolved and how devsecops is a natural consequence.

Speakers
avatar for Patrick Debois

Patrick Debois

Director of Market Strategy, Snyk
In order to understand current IT organizations, Patrick has taken a habit of changing both his consultancy role and the domain which he works in: sometimes as a developer, manager, sysadmin, tester and even as the customer.He first presented concepts on Agile Infrastructure at Agile... Read More →
avatar for John Willis

John Willis

Senior Director, Global Transformation Office, Red Hat
John has over 35 years of experience, focusing on IT infrastructure and operations. He has helped early startups such as Chef, Enstratius (now Dell), and Docker navigate the "DevOps" movement. He is one of the original core organizers of DevOpsDays and has been a prominent keynote... Read More →
avatar for Gene Kim

Gene Kim

Founder and Author, IT Revolution
Gene Kim is a Wall Street Journal bestselling author, researcher, and multiple award-winning CTO. He has been studying high-performing technology organizations since 1999 and was the founder and CTO of Tripwire for 13 years. He is the author of six books, The Unicorn Project (2019... Read More →
avatar for Sasha Rousenbaum

Sasha Rousenbaum

Senior Product Manager, Github
Sasha is a Product Manager at GitHub, focused on helping engineers be successful with using GitHub for work as well as for open source. In her career, Sasha has worked in development, operations, consulting, and cloud architecture. Sasha is an organizer of DevOpsDays Chicago, a chair... Read More →


Wednesday October 21, 2020 14:20 - 14:40 BST
Main Track

14:40 BST

Managing issues with open source dependencies
This session will focus on the capabilities within Snyk to focus on the all important question "I've onboarded hundreds of projects, what now"?

Topics will include, "Prioritization", "Fix/Merge Pull Requests", "Ignore", "Merge Advice", "Auto fix"

Speakers
avatar for Shawn Miller

Shawn Miller

Sr. Solutions Engineer /Enablement Lead, Snyk


Wednesday October 21, 2020 14:40 - 14:55 BST
Demo Track

14:40 BST

Blow up your Security: We are all Engineers
There are two ways that application security appears in automated development pipelines - engineers introduce tooling, or application security tells engineers what tools to use. One way is an organic approach to addressing vulnerabilities in code and treating security issues as a component of software quality, and the other is akin to death from above. A carpet bombing of engineering practices.

It's time to flip application security on its head and transform traditional application security teams that know about engineering, to engineering teams that specialize in security.

Join DJ Schleen as he discusses how to implement a program that promotes the developer first way of addressing application security, how it fosters collaboration, and how a simple mind shift can ensure your DevSecOps transformations are successful.

Speakers
avatar for DJ Schleen

DJ Schleen

DevSecOps Evangelist and Security Architect, Rally Health
DJ is a DevOps pioneer, and DevSecOps Advocate in the Healthcare industry and provides thought leadership to organizations looking to integrate security into their DevOps practices. He comes from a practitioner background and specializes in architecting DevSecOps pipelines, automating... Read More →


Wednesday October 21, 2020 14:40 - 15:00 BST
Main Track

14:55 BST

From the Developer Desktop to Production
This session is for new users or individuals contemplating Snyk who would like to see the workflows of Snyk. The presenter will show code progressing from the developer desktop, through code repository, CI/CD and production capabilities of Snyk to analyze open source.

Speakers
avatar for Philippe Stemberger

Philippe Stemberger

Solutions engineer, Snyk


Wednesday October 21, 2020 14:55 - 15:10 BST
Demo Track

15:00 BST

How did the Department of Defence move to Kubernetes and Istio?
Discover how the largest organization in the world move to DevSecOps by adopting Kubernetes and Istio to move at the pace of relevance. The Department of Defense is using Kubernetes on jets and various systems and have a hundred thousand people to train each year. Learn about their Enterprise Service and the code they open-sourced.

Speakers
avatar for Nicolas Chaillan

Nicolas Chaillan

Chief Software Officer, U.S. Air Force
Mr. Nicolas Chaillan, a highly qualified expert, is appointed as the first U.S. Air Force Chief Software Officer, under Dr. William Roper, the Assistant Secretary of the Air Force for Acquisition, Technology and Logistics, Arlington, Virginia. He is also the co-lead for the Department... Read More →


Wednesday October 21, 2020 15:00 - 15:20 BST
Main Track

15:10 BST

CI/CD - Part 1 - How it Works
The presenter will discuss Snyk's role and workflow as part of CI/CD, discussing gating and/or monitoring, and the features available.

Speakers
avatar for Philippe Stemberger

Philippe Stemberger

Solutions engineer, Snyk


Wednesday October 21, 2020 15:10 - 15:25 BST
Demo Track

15:30 BST

SnykCon Welcome & Keynote
Join Snyk CEO Peter McKay and Snyk co-founder Guy Podjarny to kick off SnykCon 2020 with reflections on 2020; updates on the rapidly evolving modern security market; and a big announcement about what’s coming next for the Snyk Platform. 

Hear from Snyk Chief Product Officer Aner Mazur about recent product enhancements and some insights into the Snyk product roadmap for 2021! 

Speakers
avatar for Guy Podjarny

Guy Podjarny

Co-founder & President, Snyk
Guy Podjarny (@guypod) is the cofounder and CEO at Snyk.io focusing on securing open source code. Guy was previously CTO at Akamai following their acquisition of his startup, Blaze.io. Prior to that, Guy worked on the first web app firewall & security code analyzer, and dealt with... Read More →
avatar for Aner Mazursky

Aner Mazursky

Chief Product Officer, Snyk
Aner is the VP of Product Management at Snyk. He is responsible for setting the product strategy and delivering open source security solutions for developers. Prior to joining Snyk Aner was head of product management at Outbrain, and prior to that Aner came from an algorithmic R&D... Read More →
avatar for Peter McKay

Peter McKay

CEO, Snyk


Wednesday October 21, 2020 15:30 - 16:30 BST
Main Track

16:30 BST

16:45 BST

Demos Rapid7
Wednesday October 21, 2020 16:45 - 17:00 BST
Demo Track

17:00 BST

17:15 BST

Exit Stage Left: Eradicating Security Theater
Information security is often perceived as the surly gatekeeper of I.T. whose iron grip chokes software delivery. Infosec commands the stage in this security theater, instituting punitive policies, procedures, and controls masquerading as security strategy. The negative side effects created by these “strategies” are traditionally overlooked when measuring security outcomes, resulting in superficial progress at the expense of organizational growth and productivity.

In this talk, we will unmask security theater and explore how it leads to increased organizational friction, especially in the realm of software delivery, rather than promoting safety. We will contrast these dramatics with a security chaos engineering approach – one which embraces the importance of convenience, alignment with organizational goals, and the wisdom derived from failure. Finally, we will conclude by exploring pragmatic approaches to security approval patterns that accelerate software delivery, level up security, and foster a collaborative culture between dev, ops, and infosec.


Speakers
avatar for Kelly Shortridge

Kelly Shortridge

VP of Product Management and Product Strategy, Capsule8


Wednesday October 21, 2020 17:15 - 17:45 BST
Main Track

17:45 BST

17:55 BST

Snyk Open Source 101
Using open source provides development teams with the speed and flexibility needed to deliver value at the pace required by their businesses to remain competitive. It’s little wonder that open source often composes up to 90% of codebases in modern applications.
But this growing reliance also introduces a significant amount of security and legal risk. Open source dependencies may contain exploitable security vulnerabilities, exposing the organization to attacks by hackers.  As more and more open source code is used, accidental license violations may result in fines and injunctions. Software Composition Analysis (SCA) has grown in importance over the last few years to help organizations manage and reduce this risk, and now plays a key role in application security. 
In this session, we will go over the three key ingredients making Snyk Open Source the leading software composition analysis (SCA) tool in the market: developer-friendliness, automated remediation, and security depth. If you are new to Snyk Open Source or have never heard about it, this is the session for you!

Takeaways

Leaving this session, you’ll have a crystal-clear understanding of the risk involved in pulling in open source packages, the challenges involved in managing this risk, what’s required to overcome these challenges, and where Snyk Open Source fits in as an SCA solution. 

Consider this a Snyk Open Source 101 session. You will learn about the three key foundations Snyk Open Source was built on and how they help over 1.5 million users worldwide find, prioritize, and fix security vulnerabilities and license issues in their open source dependencies:

  • Developer-friendliness
  • Automated remediation
  • Security depth 

For deeper dives into advanced Snyk Open Source topics, be sure to attend the following sessions:

  • Fixing the cost of fixing - the road to zero vulnerabilities 
  • License to chill: Staying compliant with Snyk license compliance 
  • How to prioritize your vulnerabilities 


Speakers
avatar for Daniel Berman

Daniel Berman

Product Marketing - Snyk Open Source, Snyk
Product marketing director for Snyk Open Source. Write/talk about DevSecOps'ie stuff. @DevOpsDaysTLV organizer. DadOps, runner, and shameless LFC fan... Read More →


Wednesday October 21, 2020 17:55 - 18:25 BST
Product Track

17:55 BST

How to Implement a DevSecOps Culture in a Large Enterprise - People, Processes, Tools
What skills and knowledge areas are required in building a security engineering team.

How to define and implement a security engagement model across a large number of development teams.

What security tools can aid this activity and how to implement them effectively.

Speakers
avatar for Paul Graziano

Paul Graziano

DevSecOps Engineer, Pearson
avatar for Nicholas Vinson

Nicholas Vinson

DevSecOps Lead, Pearson
Leading a team of highly skilled engineers in defining and implementing a security engineering function within Pearson and driving a DevSecOps transformation for the past two and half years.Previously worked as a DevSecOps Consultant, Penetration Tester, Lead DevOps Engineer, and... Read More →
avatar for Owen John

Owen John

Platform Security Lead, Pearson



Wednesday October 21, 2020 17:55 - 18:25 BST
Process & Culture Track

17:55 BST

SCA & Enterprise Vulnerability Management
While software composition analysis is typically found as part of the development cycle, it can also enable the traditional vulnerability management (VM) toolchain to gain insights into vulnerabilities on production assets. In this talk we'll explore how enterprise vulnerability management deals with open source vulnerabilities, how SCA can help, and how these vulnerabilities map to commonly used frameworks in the VM space, like MITRE ATT&CK. In addition to surveying application vulnerability management, we will also show process models for managing container vulnerabilities and issues that can be found inside infrastructure as code definitions.

Speakers
avatar for John Bock

John Bock

R&D, Optiv
John Bock is a member of the Research & Development group at Optiv Inc. In R&D he is focused on the emergent security landscape and threats to new technologies that are still developing a resilient security posture. Prior to this role, John was the leader of Optiv’s Application... Read More →


Wednesday October 21, 2020 17:55 - 18:25 BST
Technology Track

18:00 BST

CI/CD - Jenkins
Integration setup and job configuration options for open source dependencies and containers via the Jenkins Integration

Speakers
avatar for Philippe Stemberger

Philippe Stemberger

Solutions engineer, Snyk


Wednesday October 21, 2020 18:00 - 18:15 BST
Demo Track

18:15 BST

CI/CD - Azure
Integration setup and job configuration options for open source dependencies and containers via the Azure Integration

Speakers
avatar for Philippe Stemberger

Philippe Stemberger

Solutions engineer, Snyk


Wednesday October 21, 2020 18:15 - 18:30 BST
Demo Track

18:25 BST

Need better security decisions? Get a better vulnerability database!
Imagine you find a vulnerability in your code. A vulnerability that looks nasty and challenging to fix. What do you do?

Most developers in this situation will reach out to someone with a better security understanding for help. At first they’ll say “Oh, this does look nasty.” They’ll do some basic internet searches to learn a bit, read your code, and research the vulnerability. The more time they invest and the more data they provide back to you, the more you’ll trust their answer when they ultimately say: “Yes, you have to fix this.”

The process happens the same way when hundreds or thousands of vulnerabilities need to be addressed. With better data available, we can make better decisions better. In the world of open source vulnerabilities, the vulnerability database you chose to use empowers your solution and enables your decision making. And the better that database is, the better your security decisions are.

In this talk we will look at the characteristics of a high quality vulnerability database and how it helps the results of an appsec program, specifically looking at:
  • The evolution of database generations
  • What it takes to enable sophisticated security decisions at scale
  • Examples of advanced metadata and its potential usage
Takeaways
In this session, Shani Gal, Product Lead for Snyk Intel Vulnerability Database, will share insights on the evolution of open source vulnerability databases. 

For development teams building applications we’ll look at:
  • What should you expect from a vulnerability database, to make sure your time is well spent?

For security teams / development teams owning fixing vulnerabilities
  • How might you use vulnerability data to make better decisions on what should be done?
  • Data you should consider when building your future system


Speakers
avatar for Parag Dave

Parag Dave

Product Management, Red Hat
avatar for Shani Gal

Shani Gal

Director of Product, Security group, Snyk


Wednesday October 21, 2020 18:25 - 18:55 BST
Product Track

18:25 BST

Security Culture: Why You Need One and How to Create It
Strong cultures permeate people’s mentality and the way that they behave, their receptiveness to new ideas and thoughts, and their motivation to do security tasks.  Organizations with a positive security culture have immense capability to build resilient products and reduce security debt.

Every organization has a security culture, either good or bad, even if a security team or company has never invested in it. It is the underlying driver of why people choose to do what they do around security. This is exactly why security teams and their organizations need to take ownership and proactively shape the culture into a direction that supports the security well-being of the organization.

This talk will go into understanding how to measure your organization's current security culture and how to define where you want to go. From there we will look into techniques of how to begin to shape your organization’s security culture to become more resilient and enable people-powered security.



Speakers
avatar for Masha Sedova

Masha Sedova

Co-Founder, Elevate Security
Masha Sedova is an industry-recognized people-security expert, speaker, and trainer focused on engaging people to be key elements of secure organizations. She is the co-founder of Elevate Security delivering the first people-centric security platform that leverages behavioral-science... Read More →


Wednesday October 21, 2020 18:25 - 18:55 BST
Process & Culture Track

18:25 BST

User Story Threat Modeling: It's the DevSecOps Way
Threat modeling is one of those security practices that is most often left out of the DevOps pipeline. Yet according to the Puppet 2019 State of DevOps Report, while not as often practiced in a DevOps Pipeline, collaborative threat modeling can have the most significant impact on security posture. So how bring the typically labor intensive methodology of threat modeling into a practice that doesn't break our DevSecOps pipeline?

In this session, we'll discuss a user story-based approach for threat modeling that was developed by asking the question, why do we threat model in the first place. The methodology presented focuses on continuous improvement by eliminating time consuming frameworks, limiting the scope, and providing valuable information that makes incorporating and validating security controls easier throughout the delivery pipeline. We'll even walk through a practical application of this methodology to show how it drives greater collaboration among various teams to make the ideals of DevSecOps culture a reality.

Speakers
avatar for Alyssa Miller

Alyssa Miller

Application Security Advocate, Snyk
Alyssa Miller is a hacker, security evangelist, cybersecurity professional and public speaker with almost 15 years of experience in the security industry. A former developer, her background is application security, not only conducting technical assessments, but also helping develop... Read More →


Wednesday October 21, 2020 18:25 - 18:55 BST
Technology Track

18:30 BST

CI/CD - Part 2 - Advanced configuration options and plugins available.
This session will cover the CLI and advanced options available to build integrations. Plugins will include, but not limited to snyk-to-html, snyk-to-jira, Snyk Delta and Snyk Filter.

Speakers
avatar for Kriti Dogra

Kriti Dogra

Solutions engineer, Snyk


Wednesday October 21, 2020 18:30 - 18:45 BST
Demo Track

18:45 BST

CI/CD - Part 3 - CI/CD Best Practices
This session, hosted by one of the most experienced customer success managers, will discuss implementation and rollout strategies within your pipelines to ensure success.

Speakers
avatar for Shawn Miller

Shawn Miller

Sr. Solutions Engineer /Enablement Lead, Snyk
avatar for Omri Negri

Omri Negri

Customer Success Team Manager, Snyk


Wednesday October 21, 2020 18:45 - 19:00 BST
Demo Track

18:55 BST

DevSecOps in containers and serverless.
What are the jobs to be done, which model is most effective from a security perspective - 
serverless or Kubernetes? How can we improve security in both fields? In this session expert practitioners will discuss what they’ve learned developing and managing systems using modern infrastructure for enterprises and web scale companies. What’s lacking in the serverless ecosystem? What about Kubernetes? How can enterprises safely deploy new technologies, serving the needs of developers, whilst maintaining security for governance, risk and compliance. 

Speakers
avatar for Andrew Martin

Andrew Martin

CEO, Control Plane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is comfortable profiling and securing every tier of a bare metal or cloud native system, and has battle-hardened... Read More →
AS

Ant Stanley

Co-Founder, Homeschool from Senzo
MK

Maya Kaczorowski

Product Manager, GitHub
avatar for James Governor

James Governor

Analyst & Co-founder, RedMonk
Founded RedMonk in 2002 with Stephen O’Grady. We focus on developers as the real key influencers in tech. Understanding that people choose technology because of gut instincts, not facts per se. An ex-journalist, I have managed teams and news agendas in weekly publication grind... Read More →


Wednesday October 21, 2020 18:55 - 19:25 BST
Process & Culture Track

18:55 BST

Building safer containers with Snyk
What does “developer-focused” container security look like and how can it change both how you create and run containers?

In this session, we’ll look at container image security from the builder’s perspective, going beyond simply uncovering vulnerabilities to coming up with a practical, repeatable approach to fixing them. Along the way, we’ll show you how to think about some common questions like:
  • Which vulnerabilities, out of the 10s or 100s you might find in a container, should developers focus on? How does your team identify and prioritize your efforts to reduce risk?
  • Where in the software lifecycle should you scan container images?
  • How do you turn common container image best practices into real-world policies you can use to inspect, educate, and enforce with application teams?

We’ll also demonstrate how Snyk Container fits in at various points in the development lifecycle including CI/CD, Kubernetes clusters, and popular cloud registries.

Takeaways

Attendees should leave this session with a strategy to reduce the number of container image vulnerabilities in their environment:
  • How do you logically assess a list of container vulnerabilities in the context of how container images work?
  • How do you reduce the number of vulnerabilities in your container images? Should you be aiming for zero vulnerabilities? And if not (spoiler alert!), how do you prioritize what should be fixed?

The strategies are general enough to apply no matter what tools you might use for container scanning, but we will show you specifically how Snyk Container fits into this strategy.

Consider this session to be the container security overview, where we will talk about the technology and strategy for fixing container issues. In the Patterns for secure container base image management session we’ll go deeper on the people & process; and, for teams using Docker Desktop and Docker Hub, we’ll cover details of our integrated tools in the Snyk & Docker team up to improve container images security session.

Speakers
avatar for Jim Armstrong

Jim Armstrong

Product Marketing - Container & IaC, Snyk


Wednesday October 21, 2020 18:55 - 19:25 BST
Product Track

18:55 BST

Lighting the Flare: container scanning at scale
In this session, we'll go over how we tackled the problem of enrolling and scanning container images with Snyk across 300+ AWS accounts. We'll also go overview how we approached surfacing critical findings to the right folks to drive remediation.

Speakers
avatar for Matt Stegall

Matt Stegall

Senior Engineer, Red Ventures
avatar for Alfonso Cabrera

Alfonso Cabrera

Director of Platform Engineering, Red Ventures


Wednesday October 21, 2020 18:55 - 19:25 BST
Technology Track

19:00 BST

Test, Fix, and Monitor your Code Repositories
This session will discuss onboarding projects via a Source Code Manager integration, continuous monitoring for third party vulnerabilities, and vulnerability management via automated Fix/Merge Pull Requests.

Speakers
avatar for Sarah Gold

Sarah Gold

Solutions engineer, Snyk


Wednesday October 21, 2020 19:00 - 19:15 BST
Demo Track

19:15 BST

Managing Open Source Licenses
As an organization, monitoring license usage and gaining visibility is important, so is setting policies to ensure proper usage.

In this session we will discuss:
1) Setting Policies
2) Developer visibility
3) Reporting

Speakers
avatar for Paul Harland

Paul Harland

EMEA Solutions Engineer, Snyk


Wednesday October 21, 2020 19:15 - 19:30 BST
Demo Track

19:25 BST

Storytime - Secure Coding Libraries
Speakers
avatar for Tanya Janca

Tanya Janca

Head Nerd, We Hack Purple
Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been... Read More →


Wednesday October 21, 2020 19:25 - 19:30 BST
Main Track

19:30 BST

Whoops! I Committed It Again: Configuring Git to Prevent Accidental Commits
It’s so easy to accidentally commit a secret key or sensitive data in our git repository. This lightning talk will explain how you can leverage git hooks to catch things before they get committed or pushed up to the git origin.

Speakers
avatar for Miguel A. Calles

Miguel A. Calles

Principal Engineer, VeriToll LLC
Miguel A. Calles is a certified Cybersecurity engineer that works on cloud computing projects and writes about serverless security. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and worked on large... Read More →
avatar for Greg Thompson

Greg Thompson

Full stack software engineer, Veritoll
Greg Thompson is a full stack software engineer. He’s worked on a diverse range of projects from mainframes to medical systems and bioinformatics as both an engineer and a manager. His current passion is building and deploying serverless systems in the cloud. In his down time he... Read More →


Wednesday October 21, 2020 19:30 - 19:35 BST
Main Track

19:30 BST

Stackhawk Demo
Wednesday October 21, 2020 19:30 - 19:45 BST
Demo Track

19:35 BST

Customer Awards
Snyk will be taking the opportunity during SnykCon to celebrate some of our extraordinary customers in our first ever Customer Awards.  Please join us in recognizing these champions across 4 different awards:
  • The Early Adopter Award
  • The Innovator Award
  • The Advocate Award
  • The DevSecOps All-star Award

Speakers
avatar for Peter McKay

Peter McKay

CEO, Snyk
avatar for Lindsey Serafin

Lindsey Serafin

Head of Customer Success, Snyk


Wednesday October 21, 2020 19:35 - 19:40 BST
Main Track

19:40 BST

How to deploy securely using Kubernetes & Terraform
Kubernetes is fast becoming the platform of choice for deploying modern cloud native applications and Terraform is increasingly the tool of choice for creating infrastructure to support these applications.

Their flexibility means they are powerful for a wide range of use-cases and their focus on configuration in code means they are accessible to development teams to use quickly and autonomously. 

But with this comes the challenge of knowing whether you’ve deployed your application securely. How do you understand all of the potential configuration options and their impact? How do you know that the supporting infrastructure is appropriately locked down and you are following your own teams best practices?

In this talk we will:
  • Look at a typical development flow for writing and validating a Kubernetes and Terraform deployment, starting from the command line through to your source control system
  • Discuss the the challenges and security considerations you should be aware of and how to work with your security team if you have one
  • Show a few demos of tools, including Snyk, that can help you get faster feedback
Takeaways
All attendees should come away from the session with some practical ideas they can put into practice straight away, whether they have wide adoption of Kubernetes and Terraform yet or not. 

For development teams building applications we’ll look at:
  • Why considering security from the beginning is beneficial
  • How to securely deploy to Kubernetes and the considerations in doing so
  • How to securely provision infrastructure using Terraform
  • How to seamless add security into your local development workflow, with the toolchain you are familiar with
  • How to work collaboratively with the security team

And for security teams responsible for assuring the applications and infrastructure that is being deployed, we’ll discuss:
  • How to get visibility into each application and across applications
  • How to engage with development teams to educate and empower them to develop securely



Speakers
avatar for Ben Laplanche

Ben Laplanche

Product Manager, Snyk
As the Product Manager for Snyks Infrastructure as Code offering, I'm focused on helping Developers get actionable insights into the configuration of their Kubernetes / Terraform configuration files as early as possible in their software lifecycle. Talk to me about about general Infrastructure... Read More →


Wednesday October 21, 2020 19:40 - 20:10 BST
Product Track

19:40 BST

Securing Open Source pipeline using Plug-n-Play Scanning
Salesforce believes in giving back to the community, and one of the ways engineers can give back is by open sourcing the work they have done so that other individuals can benefit from it. Until July 2020, the requests to open source any internal Salesforce work was reviewed by Product Security manually and it soon became a bottleneck. We developed an automation service that seamlessly connects with the internal task tracking system and internal security tools to provide a consolidated scan report of the repository to be open sourced saving at least 150 hours of manual work per year. This framework can now be extended to be a plug and play security scanning/testing framework capable of incorporating any tool.

Speakers
avatar for Amol Deshpande

Amol Deshpande

Product Security Engineer, Salesforce
Amol Deshpande is a Product Security Engineer on the PaaS Security Assurance team at Salesforce. He works with product and engineering teams to secure their products by performing threat modeling, code reviews and small scale penetration testing. He also works on automation projects... Read More →


Wednesday October 21, 2020 19:40 - 20:10 BST
Technology Track

19:40 BST

Sour Mint - The case of malicious advertisement SDK affecting thousands of mobile apps
In August 24th, 2020, Snyk published its research into a malicious SDK distributed by Mintegral, a Chinese ad network span off from Mobvista. In this talk we will share the details surrounding the SDK, how it went undetected for more than a year, and  the impact of our publication on the mobile advertisement ecosystem.

Speakers
avatar for Alyssa Miller

Alyssa Miller

Application Security Advocate, Snyk
Alyssa Miller is a hacker, security evangelist, cybersecurity professional and public speaker with almost 15 years of experience in the security industry. A former developer, her background is application security, not only conducting technical assessments, but also helping develop... Read More →
avatar for Danny Grander

Danny Grander

CSO / Co-founder, Snyk


Wednesday October 21, 2020 19:40 - 20:10 BST
Process & Culture Track

19:45 BST

Datadog Security Monitoring
Wednesday October 21, 2020 19:45 - 20:00 BST
Demo Track

20:10 BST

License to chill: Staying license compliant with Snyk
Developers prefer to use open source libraries because it enables them to develop faster while also reducing functional and operational risks. Popular ecosystems continue to show double-digit adoption rates, with npm leading the pack with 33% growth in 2019. More than 96% of applications include open source code and over 80% of a typical application's code is open source.

Before including an open source package as a dependency in their application, developers examine its functionality, popularity, and overall maintenance, but licensing is often ignored. That needs to change. Open source packages are free but do not come without a cost. Their licenses contain various stipulations and requirements, dictating how the code can be used and distributed. Not complying with these terms can end up with you and your organization facing litigation and suffering from reputation loss. Not convinced? The $100M lawsuit against Panasonic for violating a GPL 2.0 license is a good example.

In this session, you will learn about Snyk's own journey of managing and complying with the open source licenses for the software our development team uses—from a small startup with no particular compliance strategy to a leader in open source security and compliance, enabling other organizations to develop fast while staying secure AND compliant. 

Speakers
avatar for Stephanie Dominy

Stephanie Dominy

General Counsel, Snyk
avatar for Ariel Ornstein

Ariel Ornstein

Director of Product, Ecosystems, Snyk
avatar for Benji Weber

Benji Weber

Director of Engineering, Snyk


Wednesday October 21, 2020 20:10 - 20:40 BST
Product Track

20:10 BST

Hackers don't wear hoodies, they wear capes
1 out of 4 hackers don’t submit vulnerabilities due to the fear of out-of-date legislation, press coverage, and companies misdirected policies. This fear is based on socially constructed beliefs. This talk dives into the current landscape hackers are facing and what are the steps to improving it.

Speakers
avatar for Chloé Messdaghi

Chloé Messdaghi

Vice President of Strategy, Point3 Security, Inc
Chloé Messdaghi is the VP of Strategy at Point3 Security. She is an InfoSec Advocate & Activist who strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to fight for hacker rights... Read More →


Wednesday October 21, 2020 20:10 - 20:40 BST
Process & Culture Track

20:10 BST

Securing Kubernetes in a ever changing ecosystem
As the cloud has conquered the world, along with the adoption of Kubernetes and other cloud-native technologies. This trend is creating organizations concerns over the security of their application containers as it changes the attack surface and the traditional application security approach has limited value. In this talk I will share thought leadership and real life examples on the prescribed best methods and technology in the ecosystem that are necessary to meet the constant changing needs of the business as we shift to a Container World.

Speakers
avatar for John Forman

John Forman

Director, Global Anthos/Kubernetes Lead, Accenture
John T. Forman is a Senior Technical Architecture Manager in the Intelligent Software Engineering Services (IES): Emerging & Growth group and acts as a SME in the OpenSource, DevSecOps, Container/Kubernetes practices. With over 20 years of experience designing and delivering complex... Read More →


Wednesday October 21, 2020 20:10 - 20:40 BST
Technology Track

20:50 BST

Multi-threaded Drum & Bass : Live Coding Music with Sonic Pi
Sonic Pi is a free code-based music creation and performance tool that targets both education and professional musicians.  It is possible for beginners to code fresh beats, driving bass lines and shimmering synth riffs. All this whilst teaching core computer science concepts such as sequencing, functions, variables, loops, data structures and algorithms.

In this discussion and performance we’ll briefly cover its history before taking a deep technical nose dive into some of the core technical innovations which enable powerful, live expression of music. We’ll explore Sonic Pi’s novel internal technologies which enable it to rhythmically synchronise concurrent threads (to the beat), deliver thread-safe deterministic randomisation and the power of representing state in its internal totally-ordered event-store.

Speakers
avatar for Dr Sam Aaron

Dr Sam Aaron

Research Associate, Sonic Pi
Dr Sam Aaron is the creator of Sonic Pi, an internationally renowned live coding performer, public speaker and science communicator.  Sam has a PhD in Computer Science and held a research position at the University of Cambridge Computer Laboratory where he initially developed Sonic... Read More →


Wednesday October 21, 2020 20:50 - 21:50 BST
Main Track
 
Thursday, October 22
 

14:20 BST

The Developer Desktop - Part 2 - Building Secure Containers with Snyk
In the session, Snyk will show how to build Docker container images, test for vulnerabilities and remediate utilizing Snyk developer tools.

Speakers
avatar for Clinton Herget

Clinton Herget

Solutions Engineer, Snyk


Thursday October 22, 2020 14:20 - 14:35 BST
Demo Track

14:20 BST

The Impact of DevSecOps Quantified
What if I could tell you the three application security practices whose adoption would most lower risk? What if I could also quantify the impact that each practice would have on your outcomes? Imagine being able to focus your entire organization (and your limited budget) on these three things rather than have your efforts spread across dozens of practices. Imagine how different the conversation with engineering teams and budget approvers will be if you can present research that shows just how important these three things are compared to other things you could invest in.

This talk is a presentation of research that quantifies the impact that various DevSecOps software security practices have on security risk outcomes. We have data from 200 different teams in the technologically and process diverse environment inside Comcast. We've tracked this data over time as teams have adopted practices like secure coding training, threat modeling, pen testing, SAST/IAST/SCA tool usage, security code review, etc. We have then correlated outcomes like network vulnerability to not only determine which practices have the most impact but to quantify how much of an impact each has.

Speakers
avatar for Larry Maccherone

Larry Maccherone

DevSecOps Transformation, Contrast
Larry Maccherone is an industry-recognized thought leader on DevSecOps, Lean/Agile, and Analytics. He currently leads the DevSecOps transformation at Comcast. Previously, Larry led the insights product line at Rally Software where he published the largest ever study correlating development... Read More →


Thursday October 22, 2020 14:20 - 14:40 BST
Main Track

14:35 BST

Securing Your Container Build Pipeline
In this session, Snyk will demonstrate how to build a secure CI/CD pipeline for containerized applications and prevent container vulnerabilities from reaching production.

Speakers
avatar for Clinton Herget

Clinton Herget

Solutions Engineer, Snyk


Thursday October 22, 2020 14:35 - 14:50 BST
Demo Track

14:40 BST

Connections and Intersections between Resilience Engineering and Security
The interdisciplinary field of Resilience Engineering is over 20 years old, even though it's only recently come into contact with the online software world. I'll describe this critical field, lay out some of the few connections that have been made to security in software-centered environments, and suggest some directions this community might go in to pragmatically move these connections and concepts forward.

Speakers
avatar for John Allspaw

John Allspaw

Founder and Principal, Adaptive Capacity Labs
John Allspaw has worked in software systems engineering and operations for over twenty years in many different environments. John’s publications include the books The Art of Capacity Planning (2009) and Web Operations (2010) as well as the forward to The DevOps Handbook. His 2009... Read More →


Thursday October 22, 2020 14:40 - 15:00 BST
Main Track

14:50 BST

Monitoring Container Images in Your Production Environment with Snyk
In this session, Snyk will show how to monitor the container images in your production environment for vulnerabilities, via the container registry, Kubernetes integration and OpenShift operator.

Speakers
avatar for Clinton Herget

Clinton Herget

Solutions Engineer, Snyk


Thursday October 22, 2020 14:50 - 15:05 BST
Demo Track

15:00 BST

Host Like Your Planet Depended On It
The cloud, machine learning, cryptocurrencies. We all know data centers use a lot of power. We're not a million miles from the aviation industry. So, what are we doing about it? The cloud providers are literally a decade apart on their progress. Who's winning? What does carbon neutral, carbon zero, and carbon negative mean? Do they have a plan and do you?

Speakers
avatar for Anne Currie

Anne Currie

Technologist, Anne Currie
Anne has spent over 20 years in the tech sector working on everything from worthy server products in the '90s to international online lingerie in the '00s to containers and the future of operations in the '10s.


Thursday October 22, 2020 15:00 - 15:20 BST
Main Track

15:30 BST

SnykCon Keynote & Fireside Chat with Adrian Ludwig, CISO, Atlassian
Snyk CEO Peter McKay will welcome you back to SnykCon with a  discussion of the modern security ecosystem highlighting key partners and integrations. 

Snyk VP of People Dipti Salopek will share an update on Snyk’s commitment to social good  amongst the communities in which we live and operate.

In the second half of the Keynote, we are excited to bring Adrian Ludwig, CISO at Atlassian, into a 1-1 discussion with Snyk co-founder Guy Podjarny to talk about what he is seeing in the modern security market, how his team is structured to keep up with the pace of devops today and how he sees Atlassian’s role in helping developers embrace security.

Speakers
avatar for Guy Podjarny

Guy Podjarny

Co-founder & President, Snyk
Guy Podjarny (@guypod) is the cofounder and CEO at Snyk.io focusing on securing open source code. Guy was previously CTO at Akamai following their acquisition of his startup, Blaze.io. Prior to that, Guy worked on the first web app firewall & security code analyzer, and dealt with... Read More →
avatar for Peter McKay

Peter McKay

CEO, Snyk
avatar for Dipti Salopek

Dipti Salopek

VP of People, Snyk
avatar for Adrian Ludwig

Adrian Ludwig

CISO, Atlassian


Thursday October 22, 2020 15:30 - 16:30 BST
Main Track

16:30 BST

Snyk Infrastructure as Code - Testing via the CLI in your SDLC
Snyk's new Infrastructure as code is an innovative solution to quickly test Kubernetes deployment files and Terraform files via the Snyk CLI!

Speakers
avatar for Ron Tal

Ron Tal

Senior Software Engineer, Snyk


Thursday October 22, 2020 16:30 - 16:45 BST
Demo Track

16:40 BST

Laugh Lunch Learn
Amidst the anxiety, social distancing, face masks and long queues, it can be hard to see the light at the end of the tunnel. This short session will bring the laughs, smiles, and virtual positive vibes needed to relieve stress, boost moods, and build community. Infused throughout the humor is a simple strategy for maintaining a sense of humor (and sanity) during the pandemic.

Speakers
avatar for Andrew Tarvin

Andrew Tarvin

World's first Humor Engineer, Humor That Works
Andrew Tarvin is the CEO of Humor That Works, a leadership development company that teaches professionals how to use humor to achieve better business results. He has partnered with top organizations–including IBM, the UN, and the FBI–to solve human challenges with humor solutions.A... Read More →


Thursday October 22, 2020 16:40 - 17:10 BST
Main Track

16:45 BST

Snyk Infrastructure as Code - Monitoring via Source Code Management Integration
The presenter will show onboarding and monitoring infrastructure as code via the Snyk web interface and source code management integration.

Speakers
avatar for Rick Harp

Rick Harp

Solutions Engineer, Snyk


Thursday October 22, 2020 16:45 - 17:00 BST
Demo Track

17:00 BST

Governance - Security and Licence Policies
Snyk has introduced Security and License Policies for Snyk Pro and Enterpise customers. Learn how to utilize these features in this session!

Speakers
avatar for Paul Harland

Paul Harland

EMEA Solutions Engineer, Snyk


Thursday October 22, 2020 17:00 - 17:15 BST
Demo Track

17:15 BST

From Control to Collaboration: Democratizing Security
The industry is still building security based on an outdated model. Where enterprises used to purchase, issue and manage the means of computing, now we need to distribute security to mobile users globally. How do we adapt? We have to change hearts and minds as well as technologies. Democratizing security means thinking differently about the people we serve. Users are not “the weakest link”; they are powerful industry drivers. We have to give up the beliefs and control we once held as unquestioned. It’s time for radical change.

Speakers
avatar for Wendy Nather (wendy0)

Wendy Nather (wendy0)

Head of Advisory CISOs, Cisco
Wendy Nather leads the Advisory CISO team at Cisco. She was previously the Research Director at the Retail ISAC, and Research Director of the Information Security Practice at 451 Research. Wendy led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation... Read More →


Thursday October 22, 2020 17:15 - 17:45 BST
Main Track

17:45 BST

Organizing Your Projects at Scale using Snyk
Best practices for organizing and how to make the most of it for reporting.

Speakers
avatar for Shawn Miller

Shawn Miller

Sr. Solutions Engineer /Enablement Lead, Snyk
avatar for Omri Negri

Omri Negri

Customer Success Team Manager, Snyk


Thursday October 22, 2020 17:45 - 18:00 BST
Demo Track

17:55 BST

How to prioritize your vulnerabilities
Making security issues visible to your team is the first step in making your software more secure, but if teams are overwhelmed by the number of issues, they’re going to find it hard to know what to tackle first. It’s not a simple case of tackling the issues with the highest severity if you have thousands of high severity issues. 

Snyk has been working on a number of features to help your teams prioritize their most critical issues.

This session will share all the different criteria that Snyk uses to prioritise issues, and how you can tailor that prioritisation so it maps to what your organization cares most about.
Takeaways

This session will give you an insight into how other companies are effectively whittling down their backlog of existing issues, while addressing new ones, and how Snyk is helping them do this.
  • You’ll see how other companies prioritize their issues, helping you determine what strategies will be the most effective in reducing your organization’s risks. 
  • You’ll learn about the formulae that determines how Snyk ranks vulnerabilities, and what options are available to you to change the priority of issues, so that your teams are always tackling what your organization determines to be the most critical issues within your SLAs.


Speakers
avatar for Anna Debenham

Anna Debenham

Director of Product, SDLC Group, Snyk


Thursday October 22, 2020 17:55 - 18:25 BST
Product Track

17:55 BST

Deployment speed and security can live together
It is generally acknowledged that keeping up with DevSecOps while scaling up a company headcount comes with its share of issues and headaches. How do you keep on improving your velocity without compromising your security?

At Coveo, we come from a culture that encourages diversity, both in the technology we use and the workforce we hire. This means that you can have a microservice architecture running in the cloud composed of Java backend application, a Typescript frontend, .Net Core crawling services, Go servers and Python lambdas, all working together in harmony across a global infrastructure to provide relevance and efficiency to our clients.

Deploying such a varied ecosystem, while embracing the shift-left philosophy, is challenging, and forced us to innovate on new tools for our developers to succeed. We needed a system to package the builds, validate them for functionality and security, and deploy the application in our different environments while maintaining security and velocity. Thus was born our Deployment Pipeline with Snyk built into the core of it.

Join us to learn about our journey that ultimately made us more reliable, more efficient, and more secure.

Speakers
avatar for Jean-Alexandre Beaumont

Jean-Alexandre Beaumont

Security Engineer, Coveo
Part-time pentesting, part-time assessing compliance, full time focusing on Security, Jean-Alexandre spends his time living the CoveoLife in Quebec, Canada.
avatar for Alexandre Emery

Alexandre Emery

Cloud Platform Product manager, Coveo
Passionate about the ever evolving software world and focused on building great products tailored to the customer's reality. An intellectual interest in software development as well as in business coupled with a need to always keep on learning all lead me to the product management... Read More →


Thursday October 22, 2020 17:55 - 18:25 BST
Technology Track

17:55 BST

Enable Visibility for SecOps While Reducing Build and Runtime Application Security Risks
Cloud native application development has a wide range of advantages from boosting development efficiencies through technology and automation, to faster and more direct deployment communication and management.

DevOps introduced benefits to the application infrastructure, empowering engineers to move quickly and deploy apps more resourcefully. However, DevOps has also brought a new range of risks, to hybrid cloud platforms and application development.

Join me as I explain how I helped a top Brazilian bank, enable security for their cloud environments, serverless compute, and Kubernetes services allowing for streamlined protection. In this session, you will see a demo and learn how to reduce security risks and improve visibility across your containerized web applications.

Speakers
avatar for Amanda Veras

Amanda Veras

Solutions Architect, Trend Micro


Thursday October 22, 2020 17:55 - 18:25 BST
Process & Culture Track

18:00 BST

Utilizing the Snyk Api
The presenter of this session will walk you through authenticating, then using the Snyk API.

In this session, common use cases and patterns will be discussed by a Snyk Developer!

Speakers
avatar for Nir Fuchs

Nir Fuchs

Director Of Engineering, Snyk


Thursday October 22, 2020 18:00 - 18:15 BST
Demo Track

18:15 BST

Successfully Rolling Out Snyk at the Enterprise Level
Snyk Customer Success managers will discuss successful rollout strategies for Enterprises of various sizes that will ensure success.

Speakers
avatar for Andrew MacKenzie

Andrew MacKenzie

Enterprise Customer Success, Snyk
avatar for Andre Lajter

Andre Lajter

Enterprise Customer Success, Snyk


Thursday October 22, 2020 18:15 - 18:30 BST
Demo Track

18:25 BST

Securing containers directly from Docker Desktop
Docker changed the way applications are built and helps developers simplify their workflows by integrating containers into the dev pipeline. Docker makes development and testing faster and fits well in DevOps practices, but containers require application teams to handle additional aspects of application security. In containers, developers are now responsible for system configuration and security -  traditionally the realm of dedicated system administrators. This new accountability together with the pace in which new vulnerabilities are published and need to be addressed, has the potential to undo the speed benefits that come with Docker and containers..

Docker and Snyk have teamed up to solve this challenge. With the new Snyk <> Docker integration, container owners can now use a simple docker scan <image-name> command and get early visibility into vulnerabilities with the Docker CLI. The scan, powered by Snyk, provides you with not only the security issues, but also directs you to the exact place where you can fix them, without requiring you to track down each vulnerability individually. 
This is partly due to one of the unique features of the Snyk-powered scan, which allows you to include the Dockerfile as part of the scan. Doing so not only helps you fix vulnerabilities much faster, , but can also present you with recommendations for alternative base images. These recommendations go hand-in-hand with Docker’s best practices to use minimal images, further helping you reduce security risks. 

In this talk we will cover:
  • How to scan container images and get Snyk intel directly from Docker Desktop 
  • The different use cases for using `docker scan` in your pipeline 
  • How you can integrate Snyk and Docker for continuous integrated security scanning, in your command line and throughout the SDLC

Speakers
avatar for Justin Cormack

Justin Cormack

CTO, Docker
Justin is a senior engineer and security lead at Docker. He is a maintainer of the Notary project, and a member of the CNCF TOC and SIG Security. He has been working in container security for five years.
avatar for Danielle Inbar

Danielle Inbar

Product Manager, Snyk


Thursday October 22, 2020 18:25 - 18:55 BST
Product Track

18:25 BST

Secure by Design - coding patterns
Speakers
avatar for Dan Bergh Johnsson

Dan Bergh Johnsson

Dan Bergh Johnsson is an agile aficionado, Domain Driven Design enthusiast, and code quality craftsman with a long time interest in security. The combination made Dan use quality practices from DDD to address application security issues - thus being one of the founders in the field... Read More →


Thursday October 22, 2020 18:25 - 18:55 BST
Technology Track

18:25 BST

Why are there no incentives for security in Open Source?
Open Source has both “won” and “lost” at the same time. Every company in the world leverages Open Source Software (OSS) to build products. However, every software is vulnerable, and OSS is no exception. Yet, despite the strong incentive for companies all over the world to discover and fix them, the majority use open source without paying for it.

Security scanners allow companies to discover vulnerable OSS they depend upon, but those vulnerabilities should also be fixed. While there are some incentives in discovering security vulnerabilities via bounty programs, there are none to fix them. A typical email to an OSS maintainer is more like a threat: if you do not fix it in the next month or so, I am going to make this public.

In Node.js we have experimented with a public bounty program with https://github.com/nodejs/security-wg, and several companies sponsor full-time researchers to discover vulnerabilities. However, the OSS maintainers receive no compensation for their time in fixing the vulnerability. How can we solve this conundrum?

Speakers
avatar for Matteo Collina

Matteo Collina

Technical Director, Nearform
Matteo is Technical Director at NearForm, where he consults for some of the top brands in the world. In 2014, he defended his Ph.D. thesis titled "Application Platforms for the Internet of Things". Matteo is a member of the Node.js Technical Steering Committee focusing on streams... Read More →


Thursday October 22, 2020 18:25 - 18:55 BST
Process & Culture Track

18:35 BST

CircleCi Demo
Thursday October 22, 2020 18:35 - 18:50 BST
Demo Track

18:50 BST

Open Source Visibility - Bridging Dev and SecOps
Across an organization’s application composition footprint, security practitioners are trying to understand the scale and scope of open source code vulnerabilities. With organization friction and a misalignment of tools, Security operations teams find it difficult to understand and secure those areas of the business that they don’t have visibility into, while development teams struggle with properly identifying code-based threats that might impact their applications. Together how can both teams address these challenges and prioritize critical security risks?

Join Snyk, the leader in developer first security, and Trend Micro the leader in cloud security as they discuss how to bridge this divide with greater visibility and a centralized viewpoint. By helping security teams ensure that visibility as well as the proper guardrails are in place, and empowering developers to prioritize security fixes early in their build cycle, both teams can maintain control of their pipeline and application security responsibilities.

Speakers
avatar for Geva Solomonovich

Geva Solomonovich

CTO, Global Alliances, Snyk
A Business-focused Technology Executive, with vast experience in Fin-tech, Payments, Fraud and Risk Management. My experience spans from Fortune 500 companies, to building startups from scratch, to being acquired by PayPal and featured as the headline story in the book "Start-Up Nation... Read More →
avatar for Wendy Moore

Wendy Moore

VP Product Marketing, Trend Micro


Thursday October 22, 2020 18:50 - 19:05 BST
Demo Track

18:55 BST

DevSecOps for Platform Teams: A Discussion on Making It Easy to Do the Right Thing
We all know that security is everyone's responsibility, but with increasing complicated application cloud-based platforms being built it is not always obvious who is responsible for what. For example, how can leaders encourage developers to think about security and key integration points between the apps and the platform; and how can platform engineers make it easy for development teams to do the right thing in regards to security?

Join this panel session to learn from platform builders and teams leaders about DevSecOps for the modern platform:
- Katie Gamanji, Cloud Platform Engineer @American Express | TOC @CNCF
- Mario Platt, VP Head of Information Security at CloudMargin
- Melissa Benua, Director of Engineering at mParticle

Topics to be discussed:
- Key technologies, practices, and processes in relation to implementing security within a cloud platform (and how to prioritize them)
- How to balance dev and ops responsibility for platform security
- How security relates to observability (and understandability)
- How developers can get started with learning about platform security
- Common Kubernetes security gotchas

Speakers
avatar for Daniel Bryant

Daniel Bryant

Director of Dev Relations, Ambassador Labs
Daniel Bryant works as a Product Architect at Datawire, and is the News Manager at InfoQ, and Chair for QCon London. His current technical expertise focuses on ‘DevOps’ tooling, cloud/container platforms and microservice implementations. Daniel is a leader within the London Java... Read More →


Thursday October 22, 2020 18:55 - 19:25 BST
Process & Culture Track

18:55 BST

Fixing the cost of fixing - the road to zero vulnerabilities
As applications become more complex and use ever more dependencies, vulnerabilities pose a growing risk and staying on top of them becomes a harder job. The average project has over 20 vulnerabilities when first imported into Snyk. Given that developers are owning more of the software development lifecycle than ever before, it’s no wonder than ~54% of organizations end up knowingly deploying vulnerable code into production.

Prevention isn’t enough, and while a leading database allows you to find and avoid many vulnerabilities, there’s a pressing need to reduce the backlog of vulnerabilities that either existed before you started scanning a project, or are later found in already deployed code.

To help development and security teams prevent and fix vulnerabilities in the most efficient way, security solutions must provide the following key ingredients:
  • Accurate, timely and comprehensive vulnerability intelligence/detection
  • Simple and easy-to-use interfaces 
  • Automated remediation workflows
This session will demonstrate how Snyk combines these three ingredients to help organizations reduce the effort and planning required to get, and stay, as close to zero vulnerabilities as possible. Snyk does this with automated PRs to keep dependencies up to date, fix newly found vulnerabilities, and address the backlog of vulnerabilities. 

Takeaways


Following this session, participants will have a deeper understanding of Snyk’s active remediation functionality. This will enable them to not only fix newly discovered vulnerabilities, but also reduce the backlog of vulnerabilities that most projects have. As well as this, they’ll know what they can do to stay up to date, helping them avoid deploying new vulnerabilities and simplifying future vulnerability fixes. 

All of this is possible in a developer focused way, that automates away the need for time-intensive planning required in order to manually track what has been fixed and what should be fixed next. It eliminates a large part of the developer effort required to raise pull requests, allowing the developers to review and apply changes in tools that they are already familiar with, and use daily.


Speakers
avatar for Dan Mckean

Dan Mckean

Product Manager, Snyk
Product Manager at Snyk looking after teams concerned with freemium, user acquisition, user success and onboarding, and conversion to paid plans. As well as helping our users to be more successful with remediation. Talk to me about any of those things! 


Thursday October 22, 2020 18:55 - 19:25 BST
Product Track

18:55 BST

Do you accept the risk? Dynamic risk metrics in your environment.
Risk management is relatively new to the security industry but in reality insurance teams, government, and finance have been using risk assessments to make decisions for years. In this talk we’ll demonstrate how to apply classical risk management concepts to modern DevOps practices. You’ll learn how to communicate across your organization using a standard vocabulary to calculate risk at a service level, then see a demonstration of how to dynamically calculate and increase risk levels using Security Scores.

Speakers
avatar for Daniel Maher

Daniel Maher

Developer Relations, Datadog
Dan is a veteran of the original dotcom bubble and has since worked in a variety of environments from start-ups to global corporations, including a stints as a founder, university lecturer, and a day labourer. Today, Dan is a member of the Devopsdays global team and the Community... Read More →
avatar for Andrew Krug

Andrew Krug

Technical Evangelist, Datadog
Andrew Krug is a Security Engineer specializing in Cloud Security and Identity and Access Management. Krug also works as a Cloud Security consultant and started the ThreatResponse project a toolkit for Amazon Web Services first responders. Krug has been a speaker at Black Hat USA... Read More →


Thursday October 22, 2020 18:55 - 19:25 BST
Technology Track

19:25 BST

Disclosing security vulnerabilities: If You’re Good at Something - Never Do it for Free
A humorous take on this problem

Speakers
avatar for Anna Manley

Anna Manley

Principal Lawyer, Manley Law Inc.
Anna Manley is an internet and privacy lawyer based in Sydney, NS. She is the principal of Manley Law Inc. and founder of Advocate Cognitive Technologies Inc. Anna advises companies and individuals on all things law and tech related.


Thursday October 22, 2020 19:25 - 19:30 BST
Main Track

19:30 BST

Why can't we simply add a button that does X?
How hard is it to add feature Y, and why does it take so long? These are questions engineers need to handle regularly. Often, people without the appropriate skill set question the answer supplied by the engineers.

If we build a physical structure, we all understand that we cannot endlessly build new things on top of the existing parts. w However, when building software, we magically expect we do.  We made it an art to build crapy software and still make it look shiny on the outside.
Making the impossible work with minimal resources is a great accomplishment by our engineers. But what if ...
Let me show you how all of us make the same mistake over and over again.

Speakers
avatar for Brian Vermeer

Brian Vermeer

Snyk
Developer Advocate for Snyk and Software Engineer with over 10 years of hands-on experience in creating and maintaining software. He is passionate about Java, (Pure) Functional Programming and Cybersecurity. Brian is an Oracle Groundbreaker Ambassador, Utrecht JUG Co-lead, Virtual... Read More →


Thursday October 22, 2020 19:30 - 19:35 BST
Main Track

19:35 BST

Are You a Security Sherpa, or a Security Bully?
Learn how being a guide to your organization is more beneficial in the long-run than mandating controls. These concepts and techniques allow you to shift security left, and reduce overall risk.

Speakers
avatar for Dan Tyrrell

Dan Tyrrell

Manager of Information Security, AcadiaSoft
Dan Tyrrell is the Manager of Information Security for AcadiaSoft, a global FinTech firm. He works across business functions to ensure continual improvement of security controls and regulatory compliance. Hobbies include spending time with family, martial arts, and motorsports... Read More →


Thursday October 22, 2020 19:35 - 19:40 BST
Main Track
  Lightning Talk
  • about Dan Tyrrell has held various management positions in the information security field, ranging from Lead Engineer to Director of Information Security, for the last 5 years. In that time he has learned by doing, always willing to fail fast, and apply fresh concepts to unique problems. Dan holds a handful of industry certifications, but prefers to learn by doing. When not focusing on Information Security, Dan likes to spend time with his wife and two daughters, read, and practice martial arts.

19:40 BST

Ain’t no mountain high enough: Scaling security with Snyk
Growth is a great feeling! Whether it’s plants in the garden, dough rising, or increasing the number of developers and teams that are building applications and services in your organization - you can’t help but love seeing things grow. 

However, growing without the right tools to support your scaling needs can open you up to newsworthy security risks in your organisation. These risks range from malicious users being where they shouldn’t, crippling vulnerabilities drowned in a sea of less severe issues, or having to pull the shutters down because you’re no longer compliant with industry standards. 

With our largest customers managing hundreds of organisations, thousands of developers, and hundreds of thousands of projects, Snyk is devoted to ensuring these customers are successful at this scale.

In this session I’m going to cover: 
  • What “scale” means for enterprises, and the common security issues that appear with it such as authorization gaps, incorrect prioritisation of issues, and blindspots with legal compliance
  • How Snyk helps customers work at this scale, while promoting developer adoption for Open Source Security 
  • A deep dive into some features in Snyk which help support specific scaling needs such as the Snyk API, Project tagging, Project Attributes, and Policies
Takeaways
  • Learn how large  enterprises identify and remediate major security issues when scaling with minimum disruption
  • Learn the tools and strategies you can leverage to improve developer adoption of security tools and policies as organizations scale
  • Learn how to use key capabilities within Snyk such as the API, tagging and attributes, and Snyk Policies


Speakers
avatar for Simon Wilkins

Simon Wilkins

Application Security Analyst, Overstock
Worked in Application Security for the last 4 years.Automation is everything!While i come from a development background, i like to use those skills to provide automation for collegues and development teams to make everyone's life easier.Security is hard, lets not make it any harder... Read More →
avatar for Waleed Arshad

Waleed Arshad

Product Manager, Snyk
I have experience in integration middleware and dealing with issues that users face when they scale their organisations! Feel free to say hi about any of those things, or anything else like Chemistry or baking :) 


Thursday October 22, 2020 19:40 - 20:10 BST
Product Track

19:40 BST

Securing Front-end Attack Surfaces
Do security vulnerabilities exist in modern front-end frameworks like Vue, React or Angular? We'll take a look at attack vectors on the front-end and realize that XSS is still very much a real concern when building modern front-end applications. We'll talk about workflows and tools to help bring front-end security to front-end developers and the risks of open source and JavaScript's supply chain security from dependencies to the edge.

Speakers
avatar for Eric Graham

Eric Graham

Vp product management, Akamai Technologies
avatar for Liran Tal

Liran Tal

Developer Advocate, Snyk


Thursday October 22, 2020 19:40 - 20:10 BST
Technology Track

19:40 BST

Utilizing Dojos to Instill a Culture of DevSecOps
Dojos offer an immersive learning opportunity that cultivates real cultural change and focuses on the new practices and technologies needed to achieve a specific DevOps-oriented goal or capability. Whether your goal is to shift security left in the SDLC or implement automated security enablers the fun and easy part is always the technology, organizations often struggle with or even forget about the most critical parts of the DevOps transformation - the People and Culture.
Description

The Dojo solves this problem by gathering the entire team (Product, Development, Testing, Security, Risk, etc.) in a physical/virtual learning space where teams can form habits of collaboration, trust, and transparency in a new way of working. In these hands-on, interactive sessions, teams learn how to work together more effectively to accelerate software delivery. This “learning together” mindset cultivates empowerment and shared responsibility, enabling individuals to accomplish their goals while working as a unified team that drives towards better, faster, more secure, and higher-quality outcomes.

Speakers
avatar for Eric Chapman

Eric Chapman

Technical Principal, Liatrio
Eric Chapman is a Technical Principal at Liatrio, helping our clients deliver software faster and safer. With a background in software development, he has spent the past 20 years architecting, building, and enabling software systems for large complex organizations ranging from US... Read More →


Thursday October 22, 2020 19:40 - 20:10 BST
Process & Culture Track

20:10 BST

Patterns for secure container base image management
Lots of organisations maintain a set of internal container base images. This allows for some centralisation of decision making (which base operating system should we use? What language runtimes do we support?) and provides a single place where security hardening and low-level patches can be applied.

But how do you ensure development teams are using the up-to-date base image? And from the development team perspective how can we make using the central base images a better developer experience?

In this talk we will:

  • Look at a few patterns for better base image management
  • Discuss the pros and cons involved in having central base images for your organisation, in particular around communicating change and determining ownership of issues
  • Talk about the role build files like Dockerfile play in helping manage usage of base images
  • Show a few demos of tools, including Snyk, Open Policy Agent and GitHub Actions, that can help you securely manage your base images
Takeaways
All attendees should come away from the session with some practical ideas they can put into practice straight away, whether they already have a central base image programme or not.

For teams responsible for managing a set of base images for an organisation we’ll talk about:
  • The problems you might be trying to solve by having your own base images, like being about to triage issues once and reduce operational complexity
  • Why development teams might not buy in and what to do about it 

For development teams building applications we’ll look at:
  • Why having someone else managing base images for you can be a good thing
  • Ways of making the security boundaries between teams clearer

And for security teams responsible for assuring the final images and the process around building them we’ll discuss:
  • How you can measure this effort across lots of teams and lots of images.
  • How to engage development teams in the process 


Speakers
avatar for Gareth Rushgrove

Gareth Rushgrove

Director of Product, Cloud Native, Snyk
Director of Product Management at Snyk. Developer, designer, occasional sysadmin. Infrastructure and open source geek. Curator of Devops Weekly.


Thursday October 22, 2020 20:10 - 20:40 BST
Product Track

20:10 BST

Navigating DevOps Security journey at Scale using OWASP SAMM 2.0
OWASP SAMM (https://owaspsamm.org) is the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company risk profile, organizational structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance will have a significant impact on the organization. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements.

OWASP Software Assurance Maturity Model (SAMM) gives you an effective and measurable way for all types of organizations to analyze and improve their software security posture in 3 levels of maturity - thus creating a step-by-step software assurance navigation plan. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization. In this talk, we give an overview of the new release of the SAMM model. After 10 years since its first conception, it was important to align it with today’s development practices.

We will cover a number of topics in the talk:
(i) core structure of the model, which was redesigned and extended to align with modern development practices,
(ii) measurement model which was setup to cover both coverage and quality
(iii) the new security practice streams where the SAMM activities are grouped in maturity levels.

We will demonstrate the new SAMM2 toolbox to measure the maturity of an example DevOps team and how you can create a roadmap of activities.

Speakers
avatar for Hardik Parekh

Hardik Parekh

Senior Director, Head of Product & Application Security
Hardik Parekh is recognized thought leader and executive in product security domain with hands-on contributions to SANS CWE Top 25, OWASP SAMM, BSIMM 1.0 to BSIMM 9; and SAFECode. Hardik is part of the core team which developed OWASP SAMM 2.0.Hardik has 16+ years of hands-on security... Read More →


Thursday October 22, 2020 20:10 - 20:40 BST
Process & Culture Track

20:10 BST

Product Security Automation at Asurion
Using a developer-first toolkit has been key to Asurion's growth and our ability to scale Security to meet the growing demands of our Product teams. While we continue to hone our craft it's important that we use the best-of-breed tools to provide developers with actionable information, information that helps mitigate risk early in our development lifecycle. Listen in as we share how we use Snyk as part of this toolkit to identify risk, potentially break builds and ship needed information to a SIEM for visualization by executives and by the SOC.

Speakers
avatar for Jeremy Young

Jeremy Young

Principal Security Engineer, Asurion
I thought I'd be forecasting tropical weather systems by now but turned my weather modeling experience into a Linux admin role out of school. Security is where my passion is. I'm in a lucky role where I can split my time between penetration testing and using my experience on DevOps... Read More →


Thursday October 22, 2020 20:10 - 20:40 BST
Technology Track
 
  • Timezone
  • Filter By Date SnykCon 2020 Oct 21 -22, 2020
  • Filter By Venue Online
  • Filter By Type
  • Demo
  • Happy Hour
  • Keynote
  • Lightning Talk
  • Panel
  • Product
  • Talk