SnykCon 2020: Full Schedule

14:20 BST

The Developer Desktop - Part 1 - Open Source

The developer experience (IDE, CLI, OS Advisor) planning, validating, and fixing third party dependencies.

Speakers

Agata Krajewska

Software Engineer, Snyk

Wednesday October 21, 2020 14:20 - 14:40 BST

Demo

14:20 BST

Beyond the Devops Handbook - What about devsecops?

It's been five years since the devops Handbook came out. There were some hints of devsecops. In this panel we'll discuss how devops has evolved and how devsecops is a natural consequence.

Speakers

In order to understand current IT organizations, Patrick has taken a habit of changing both his consultancy role and the domain which he works in: sometimes as a developer, manager, sysadmin, tester and even as the customer.He first presented concepts on Agile Infrastructure at Agile... Read More →

John Willis

Distinguished Researcher, Kosli

John Willis is a Distinguished Researcher at Kosli. Previously, he was Senior Director of the Global Transformation Office at Red Hat. Before Red Hat, he was the Director of Ecosystem Development for Docker, which he joined after the company he co-founded (SocketPlane, which focused... Read More →

Gene Kim

Founder and Author, IT Revolution

Gene Kim is a Wall Street Journal bestselling author, researcher, and multiple award-winning CTO. He has been studying high-performing technology organizations since 1999 and was the founder and CTO of Tripwire for 13 years. He is the author of six books, The Unicorn Project (2019... Read More →

Sasha Rousenbaum

Senior Product Manager, Github

Sasha is a Product Manager at GitHub, focused on helping engineers be successful with using GitHub for work as well as for open source. In her career, Sasha has worked in development, operations, consulting, and cloud architecture. Sasha is an organizer of DevOpsDays Chicago, a chair... Read More →

Wednesday October 21, 2020 14:20 - 14:40 BST
Main Track

Keynote

14:40 BST

Managing issues with open source dependencies

This session will focus on the capabilities within Snyk to focus on the all important question "I've onboarded hundreds of projects, what now"?

Topics will include, "Prioritization", "Fix/Merge Pull Requests", "Ignore", "Merge Advice", "Auto fix"

Speakers

Shawn Miller

Sr. Solutions Engineer /Enablement Lead, Snyk

Wednesday October 21, 2020 14:40 - 14:55 BST
Demo Track

Demo

14:40 BST

Blow up your Security: We are all Engineers

There are two ways that application security appears in automated development pipelines - engineers introduce tooling, or application security tells engineers what tools to use. One way is an organic approach to addressing vulnerabilities in code and treating security issues as a component of software quality, and the other is akin to death from above. A carpet bombing of engineering practices.

It's time to flip application security on its head and transform traditional application security teams that know about engineering, to engineering teams that specialize in security.

Join DJ Schleen as he discusses how to implement a program that promotes the developer first way of addressing application security, how it fosters collaboration, and how a simple mind shift can ensure your DevSecOps transformations are successful.

Speakers

DJ Schleen

DevSecOps Evangelist and Security Architect, Rally Health

DJ is a DevOps pioneer, and DevSecOps Advocate in the Healthcare industry and provides thought leadership to organizations looking to integrate security into their DevOps practices. He comes from a practitioner background and specializes in architecting DevSecOps pipelines, automating... Read More →

Wednesday October 21, 2020 14:40 - 15:00 BST
Main Track

Keynote

14:55 BST

From the Developer Desktop to Production

This session is for new users or individuals contemplating Snyk who would like to see the workflows of Snyk. The presenter will show code progressing from the developer desktop, through code repository, CI/CD and production capabilities of Snyk to analyze open source.

Speakers

Philippe Stemberger

Solutions engineer, Snyk

Wednesday October 21, 2020 14:55 - 15:10 BST
Demo Track

Demo

15:00 BST

How did the Department of Defence move to Kubernetes and Istio?

Discover how the largest organization in the world move to DevSecOps by adopting Kubernetes and Istio to move at the pace of relevance. The Department of Defense is using Kubernetes on jets and various systems and have a hundred thousand people to train each year. Learn about their Enterprise Service and the code they open-sourced.

Speakers

Nicolas Chaillan

Chief Software Officer, U.S. Air Force

Mr. Nicolas Chaillan, a highly qualified expert, is appointed as the first U.S. Air Force Chief Software Officer, under Dr. William Roper, the Assistant Secretary of the Air Force for Acquisition, Technology and Logistics, Arlington, Virginia. He is also the co-lead for the Department... Read More →

Wednesday October 21, 2020 15:00 - 15:20 BST
Main Track

Keynote

15:10 BST

CI/CD - Part 1 - How it Works

The presenter will discuss Snyk's role and workflow as part of CI/CD, discussing gating and/or monitoring, and the features available.

Speakers

Philippe Stemberger

Solutions engineer, Snyk

Wednesday October 21, 2020 15:10 - 15:25 BST
Demo Track

Demo

15:30 BST

SnykCon Welcome & Keynote

Join Snyk CEO Peter McKay and Snyk co-founder Guy Podjarny to kick off SnykCon 2020 with reflections on 2020; updates on the rapidly evolving modern security market; and a big announcement about what’s coming next for the Snyk Platform.

Hear from Snyk Chief Product Officer Aner Mazur about recent product enhancements and some insights into the Snyk product roadmap for 2021!

Speakers

Guy Podjarny

Founder, Snyk

Guy is the Founder of Snyk, the host of The Secure Developer, and an O’Reilly author. He was previously CTO at Akamai and led AppScan, pioneering AppSec. Snyk was founded on Guy’s belief that the future of security depends on developer adoption... Read More →

Aner Mazursky

Chief Product Officer, Snyk

Aner is the VP of Product Management at Snyk. He is responsible for setting the product strategy and delivering open source security solutions for developers. Prior to joining Snyk Aner was head of product management at Outbrain, and prior to that Aner came from an algorithmic R&D... Read More →

Peter McKay

CEO, Snyk

Wednesday October 21, 2020 15:30 - 16:30 BST
Main Track

Keynote

16:30 BST

Protecting your build image and container registry with Trend Micro and Snyk

Wednesday October 21, 2020 16:30 - 16:45 BST
Demo Track

Demo

16:45 BST

Demos Rapid7

Wednesday October 21, 2020 16:45 - 17:00 BST
Demo Track

Demo

17:00 BST

Atlassian & Snyk, a more secure developer experience

Wednesday October 21, 2020 17:00 - 17:15 BST
Demo Track

Demo

17:15 BST

Exit Stage Left: Eradicating Security Theater

Information security is often perceived as the surly gatekeeper of I.T. whose iron grip chokes software delivery. Infosec commands the stage in this security theater, instituting punitive policies, procedures, and controls masquerading as security strategy. The negative side effects created by these “strategies” are traditionally overlooked when measuring security outcomes, resulting in superficial progress at the expense of organizational growth and productivity.

In this talk, we will unmask security theater and explore how it leads to increased organizational friction, especially in the realm of software delivery, rather than promoting safety. We will contrast these dramatics with a security chaos engineering approach – one which embraces the importance of convenience, alignment with organizational goals, and the wisdom derived from failure. Finally, we will conclude by exploring pragmatic approaches to security approval patterns that accelerate software delivery, level up security, and foster a collaborative culture between dev, ops, and infosec.

Speakers

Kelly Shortridge

VP of Product Management and Product Strategy, Capsule8

Wednesday October 21, 2020 17:15 - 17:45 BST
Main Track

Keynote

17:45 BST

Secure Code Warrior: Empowering developers to become the first line of defense by providing them with the skills and tools for secure coding

Speakers

Alicia Gordon

Account Executive, Secure Code Warrior

Wednesday October 21, 2020 17:45 - 18:00 BST
Demo Track

Demo

17:55 BST

Snyk Open Source 101

Using open source provides development teams with the speed and flexibility needed to deliver value at the pace required by their businesses to remain competitive. It’s little wonder that open source often composes up to 90% of codebases in modern applications.
But this growing reliance also introduces a significant amount of security and legal risk. Open source dependencies may contain exploitable security vulnerabilities, exposing the organization to attacks by hackers. As more and more open source code is used, accidental license violations may result in fines and injunctions. Software Composition Analysis (SCA) has grown in importance over the last few years to help organizations manage and reduce this risk, and now plays a key role in application security.
In this session, we will go over the three key ingredients making Snyk Open Source the leading software composition analysis (SCA) tool in the market: developer-friendliness, automated remediation, and security depth. If you are new to Snyk Open Source or have never heard about it, this is the session for you!

Takeaways

Leaving this session, you’ll have a crystal-clear understanding of the risk involved in pulling in open source packages, the challenges involved in managing this risk, what’s required to overcome these challenges, and where Snyk Open Source fits in as an SCA solution.

Consider this a Snyk Open Source 101 session. You will learn about the three key foundations Snyk Open Source was built on and how they help over 1.5 million users worldwide find, prioritize, and fix security vulnerabilities and license issues in their open source dependencies:

Developer-friendliness
Automated remediation
Security depth

For deeper dives into advanced Snyk Open Source topics, be sure to attend the following sessions:

Fixing the cost of fixing - the road to zero vulnerabilities
License to chill: Staying compliant with Snyk license compliance
How to prioritize your vulnerabilities

Speakers

Daniel Berman

Product Marketing - Snyk Open Source, Snyk

Product marketing director for Snyk Open Source. Write/talk about DevSecOps'ie stuff. @DevOpsDaysTLV organizer. DadOps, runner, and shameless LFC fan... Read More →

Wednesday October 21, 2020 17:55 - 18:25 BST
Product Track

Product

17:55 BST

How to Implement a DevSecOps Culture in a Large Enterprise - People, Processes, Tools

What skills and knowledge areas are required in building a security engineering team.

How to define and implement a security engagement model across a large number of development teams.

What security tools can aid this activity and how to implement them effectively.

Speakers

Paul Graziano

DevSecOps Engineer, Pearson

Nicholas Vinson

DevSecOps Lead, Pearson

Leading a team of highly skilled engineers in defining and implementing a security engineering function within Pearson and driving a DevSecOps transformation for the past two and half years.Previously worked as a DevSecOps Consultant, Penetration Tester, Lead DevOps Engineer, and... Read More →

Owen John

Platform Security Lead, Pearson

HowToImplementADevSecOpsCultureInALargeEnterprise pdf

Wednesday October 21, 2020 17:55 - 18:25 BST
Process & Culture Track

Talk

17:55 BST

SCA & Enterprise Vulnerability Management

While software composition analysis is typically found as part of the development cycle, it can also enable the traditional vulnerability management (VM) toolchain to gain insights into vulnerabilities on production assets. In this talk we'll explore how enterprise vulnerability management deals with open source vulnerabilities, how SCA can help, and how these vulnerabilities map to commonly used frameworks in the VM space, like MITRE ATT&CK. In addition to surveying application vulnerability management, we will also show process models for managing container vulnerabilities and issues that can be found inside infrastructure as code definitions.

Speakers

John Bock

R&D, Optiv

John Bock is a member of the Research & Development group at Optiv Inc. In R&D he is focused on the emergent security landscape and threats to new technologies that are still developing a resilient security posture. Prior to this role, John was the leader of Optiv’s Application... Read More →

Wednesday October 21, 2020 17:55 - 18:25 BST
Technology Track

Talk

18:00 BST

CI/CD - Jenkins

Integration setup and job configuration options for open source dependencies and containers via the Jenkins Integration

Speakers

Philippe Stemberger

Solutions engineer, Snyk

Wednesday October 21, 2020 18:00 - 18:15 BST
Demo Track

Demo

18:15 BST

CI/CD - Azure

Integration setup and job configuration options for open source dependencies and containers via the Azure Integration

Speakers

Philippe Stemberger

Solutions engineer, Snyk

Wednesday October 21, 2020 18:15 - 18:30 BST
Demo Track

Demo

18:25 BST

Need better security decisions? Get a better vulnerability database!

Imagine you find a vulnerability in your code. A vulnerability that looks nasty and challenging to fix. What do you do?

Most developers in this situation will reach out to someone with a better security understanding for help. At first they’ll say “Oh, this does look nasty.” They’ll do some basic internet searches to learn a bit, read your code, and research the vulnerability. The more time they invest and the more data they provide back to you, the more you’ll trust their answer when they ultimately say: “Yes, you have to fix this.”

The process happens the same way when hundreds or thousands of vulnerabilities need to be addressed. With better data available, we can make better decisions better. In the world of open source vulnerabilities, the vulnerability database you chose to use empowers your solution and enables your decision making. And the better that database is, the better your security decisions are.

In this talk we will look at the characteristics of a high quality vulnerability database and how it helps the results of an appsec program, specifically looking at:

The evolution of database generations
What it takes to enable sophisticated security decisions at scale
Examples of advanced metadata and its potential usage

Takeaways
In this session, Shani Gal, Product Lead for Snyk Intel Vulnerability Database, will share insights on the evolution of open source vulnerability databases.

For development teams building applications we’ll look at:

What should you expect from a vulnerability database, to make sure your time is well spent?

For security teams / development teams owning fixing vulnerabilities

How might you use vulnerability data to make better decisions on what should be done?
Data you should consider when building your future system

Speakers

Parag Dave

Product Management, Red Hat

Shani Gal

Director of Product, Security group, Snyk

Wednesday October 21, 2020 18:25 - 18:55 BST
Product Track

Product

18:25 BST

Security Culture: Why You Need One and How to Create It

Strong cultures permeate people’s mentality and the way that they behave, their receptiveness to new ideas and thoughts, and their motivation to do security tasks. Organizations with a positive security culture have immense capability to build resilient products and reduce security debt.

Every organization has a security culture, either good or bad, even if a security team or company has never invested in it. It is the underlying driver of why people choose to do what they do around security. This is exactly why security teams and their organizations need to take ownership and proactively shape the culture into a direction that supports the security well-being of the organization.

This talk will go into understanding how to measure your organization's current security culture and how to define where you want to go. From there we will look into techniques of how to begin to shape your organization’s security culture to become more resilient and enable people-powered security.

Speakers

Masha Sedova

Co-Founder, Elevate Security

Masha Sedova is an industry-recognized people-security expert, speaker, and trainer focused on engaging people to be key elements of secure organizations. She is the co-founder of Elevate Security delivering the first people-centric security platform that leverages behavioral-science... Read More →

Wednesday October 21, 2020 18:25 - 18:55 BST
Process & Culture Track

Talk

18:25 BST

User Story Threat Modeling: It's the DevSecOps Way

Threat modeling is one of those security practices that is most often left out of the DevOps pipeline. Yet according to the Puppet 2019 State of DevOps Report, while not as often practiced in a DevOps Pipeline, collaborative threat modeling can have the most significant impact on security posture. So how bring the typically labor intensive methodology of threat modeling into a practice that doesn't break our DevSecOps pipeline?

In this session, we'll discuss a user story-based approach for threat modeling that was developed by asking the question, why do we threat model in the first place. The methodology presented focuses on continuous improvement by eliminating time consuming frameworks, limiting the scope, and providing valuable information that makes incorporating and validating security controls easier throughout the delivery pipeline. We'll even walk through a practical application of this methodology to show how it drives greater collaboration among various teams to make the ideals of DevSecOps culture a reality.

Speakers

Alyssa Miller

Application Security Advocate, Snyk

Alyssa Miller is a hacker, security evangelist, cybersecurity professional and public speaker with almost 15 years of experience in the security industry. A former developer, her background is application security, not only conducting technical assessments, but also helping develop... Read More →

Wednesday October 21, 2020 18:25 - 18:55 BST
Technology Track

Talk

18:30 BST

CI/CD - Part 2 - Advanced configuration options and plugins available.

This session will cover the CLI and advanced options available to build integrations. Plugins will include, but not limited to snyk-to-html, snyk-to-jira, Snyk Delta and Snyk Filter.

Speakers

Kriti Dogra

Solutions engineer, Snyk

Wednesday October 21, 2020 18:30 - 18:45 BST
Demo Track

Demo

18:45 BST

CI/CD - Part 3 - CI/CD Best Practices

This session, hosted by one of the most experienced customer success managers, will discuss implementation and rollout strategies within your pipelines to ensure success.

Speakers

Shawn Miller

Sr. Solutions Engineer /Enablement Lead, Snyk

Omri Negri

Customer Success Team Manager, Snyk

Wednesday October 21, 2020 18:45 - 19:00 BST
Demo Track

Demo

18:55 BST

DevSecOps in containers and serverless.

What are the jobs to be done, which model is most effective from a security perspective -
serverless or Kubernetes? How can we improve security in both fields? In this session expert practitioners will discuss what they’ve learned developing and managing systems using modern infrastructure for enterprises and web scale companies. What’s lacking in the serverless ecosystem? What about Kubernetes? How can enterprises safely deploy new technologies, serving the needs of developers, whilst maintaining security for governance, risk and compliance.

Speakers

Andrew Martin

CEO, Control Plane

Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is at his happiest profiling and securing every tier of a cloud native system, and has battle-hardened experience... Read More →

Ant Stanley

Co-Founder, Homeschool from Senzo

Maya Kaczorowski

Product Manager, GitHub

James Governor

Analyst & Co-founder, RedMonk

Founded RedMonk in 2002 with Stephen O’Grady. We focus on developers as the real key influencers in tech. Understanding that people choose technology because of gut instincts, not facts per se. An ex-journalist, I have managed teams and news agendas in weekly publication grind... Read More →

Wednesday October 21, 2020 18:55 - 19:25 BST
Process & Culture Track

Panel

18:55 BST

Building safer containers with Snyk

What does “developer-focused” container security look like and how can it change both how you create and run containers?

In this session, we’ll look at container image security from the builder’s perspective, going beyond simply uncovering vulnerabilities to coming up with a practical, repeatable approach to fixing them. Along the way, we’ll show you how to think about some common questions like:

Which vulnerabilities, out of the 10s or 100s you might find in a container, should developers focus on? How does your team identify and prioritize your efforts to reduce risk?
Where in the software lifecycle should you scan container images?
How do you turn common container image best practices into real-world policies you can use to inspect, educate, and enforce with application teams?

We’ll also demonstrate how Snyk Container fits in at various points in the development lifecycle including CI/CD, Kubernetes clusters, and popular cloud registries.

Takeaways

Attendees should leave this session with a strategy to reduce the number of container image vulnerabilities in their environment:

How do you logically assess a list of container vulnerabilities in the context of how container images work?
How do you reduce the number of vulnerabilities in your container images? Should you be aiming for zero vulnerabilities? And if not (spoiler alert!), how do you prioritize what should be fixed?

The strategies are general enough to apply no matter what tools you might use for container scanning, but we will show you specifically how Snyk Container fits into this strategy.

Consider this session to be the container security overview, where we will talk about the technology and strategy for fixing container issues. In the Patterns for secure container base image management session we’ll go deeper on the people & process; and, for teams using Docker Desktop and Docker Hub, we’ll cover details of our integrated tools in the Snyk & Docker team up to improve container images security session.

Speakers

Jim Armstrong

Senior Director - Product Marketing, Snyk

Wednesday October 21, 2020 18:55 - 19:25 BST
Product Track

Product

18:55 BST

Lighting the Flare: container scanning at scale

In this session, we'll go over how we tackled the problem of enrolling and scanning container images with Snyk across 300+ AWS accounts. We'll also go overview how we approached surfacing critical findings to the right folks to drive remediation.

Speakers

Matt Stegall

Senior Engineer, Red Ventures

Alfonso Cabrera

Director of Platform Engineering, Red Ventures

Wednesday October 21, 2020 18:55 - 19:25 BST
Technology Track

Talk

19:00 BST

Test, Fix, and Monitor your Code Repositories

This session will discuss onboarding projects via a Source Code Manager integration, continuous monitoring for third party vulnerabilities, and vulnerability management via automated Fix/Merge Pull Requests.

Speakers

Sarah Gold

Solutions engineer, Snyk

Wednesday October 21, 2020 19:00 - 19:15 BST
Demo Track

Demo

19:15 BST

Managing Open Source Licenses

As an organization, monitoring license usage and gaining visibility is important, so is setting policies to ensure proper usage.

In this session we will discuss:
1) Setting Policies
2) Developer visibility
3) Reporting

Speakers

Paul Harland

EMEA Solutions Engineer, Snyk

Wednesday October 21, 2020 19:15 - 19:30 BST
Demo Track

Demo

19:25 BST

Storytime - Secure Coding Libraries

Speakers

Tanya Janca

Head Nerd, We Hack Purple

Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning community that revolves around teaching everyone to create secure software. Tanya has been coding... Read More →

Wednesday October 21, 2020 19:25 - 19:30 BST
Main Track

Lightning Talk

19:30 BST

Whoops! I Committed It Again: Configuring Git to Prevent Accidental Commits

It’s so easy to accidentally commit a secret key or sensitive data in our git repository. This lightning talk will explain how you can leverage git hooks to catch things before they get committed or pushed up to the git origin.

Speakers

Miguel A. Calles

Principal Engineer, VeriToll LLC

Miguel A. Calles is a certified Cybersecurity engineer that works on cloud computing projects and writes about serverless security. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and worked on large... Read More →

Greg Thompson

Full stack software engineer, Veritoll

Greg Thompson is a full stack software engineer. He’s worked on a diverse range of projects from mainframes to medical systems and bioinformatics as both an engineer and a manager. His current passion is building and deploying serverless systems in the cloud. In his down time he... Read More →

Wednesday October 21, 2020 19:30 - 19:35 BST
Main Track

Lightning Talk

19:30 BST

Stackhawk Demo

Wednesday October 21, 2020 19:30 - 19:45 BST
Demo Track

Demo

19:35 BST

Customer Awards

Snyk will be taking the opportunity during SnykCon to celebrate some of our extraordinary customers in our first ever Customer Awards. Please join us in recognizing these champions across 4 different awards:

The Early Adopter Award
The Innovator Award
The Advocate Award
The DevSecOps All-star Award

Speakers

Peter McKay

CEO, Snyk

Lindsey Serafin

Head of Customer Success, Snyk

Wednesday October 21, 2020 19:35 - 19:40 BST
Main Track

Lightning Talk

19:40 BST

How to deploy securely using Kubernetes & Terraform

Kubernetes is fast becoming the platform of choice for deploying modern cloud native applications and Terraform is increasingly the tool of choice for creating infrastructure to support these applications.

Their flexibility means they are powerful for a wide range of use-cases and their focus on configuration in code means they are accessible to development teams to use quickly and autonomously.

But with this comes the challenge of knowing whether you’ve deployed your application securely. How do you understand all of the potential configuration options and their impact? How do you know that the supporting infrastructure is appropriately locked down and you are following your own teams best practices?

In this talk we will:

Look at a typical development flow for writing and validating a Kubernetes and Terraform deployment, starting from the command line through to your source control system
Discuss the the challenges and security considerations you should be aware of and how to work with your security team if you have one
Show a few demos of tools, including Snyk, that can help you get faster feedback

Takeaways
All attendees should come away from the session with some practical ideas they can put into practice straight away, whether they have wide adoption of Kubernetes and Terraform yet or not.

For development teams building applications we’ll look at:

Why considering security from the beginning is beneficial
How to securely deploy to Kubernetes and the considerations in doing so
How to securely provision infrastructure using Terraform
How to seamless add security into your local development workflow, with the toolchain you are familiar with
How to work collaboratively with the security team

And for security teams responsible for assuring the applications and infrastructure that is being deployed, we’ll discuss:

How to get visibility into each application and across applications
How to engage with development teams to educate and empower them to develop securely

Speakers

Ben Laplanche

Product Manager, Snyk

As the Product Manager for Snyks Infrastructure as Code offering, I'm focused on helping Developers get actionable insights into the configuration of their Kubernetes / Terraform configuration files as early as possible in their software lifecycle. Talk to me about about general Infrastructure... Read More →

Wednesday October 21, 2020 19:40 - 20:10 BST
Product Track

Product

19:40 BST

Securing Open Source pipeline using Plug-n-Play Scanning

Salesforce believes in giving back to the community, and one of the ways engineers can give back is by open sourcing the work they have done so that other individuals can benefit from it. Until July 2020, the requests to open source any internal Salesforce work was reviewed by Product Security manually and it soon became a bottleneck. We developed an automation service that seamlessly connects with the internal task tracking system and internal security tools to provide a consolidated scan report of the repository to be open sourced saving at least 150 hours of manual work per year. This framework can now be extended to be a plug and play security scanning/testing framework capable of incorporating any tool.

Speakers

Amol Deshpande

Product Security Engineer, Salesforce

Amol Deshpande is a Product Security Engineer on the PaaS Security Assurance team at Salesforce. He works with product and engineering teams to secure their products by performing threat modeling, code reviews and small scale penetration testing. He also works on automation projects... Read More →

Wednesday October 21, 2020 19:40 - 20:10 BST
Technology Track

Talk

19:40 BST

Sour Mint - The case of malicious advertisement SDK affecting thousands of mobile apps

In August 24th, 2020, Snyk published its research into a malicious SDK distributed by Mintegral, a Chinese ad network span off from Mobvista. In this talk we will share the details surrounding the SDK, how it went undetected for more than a year, and the impact of our publication on the mobile advertisement ecosystem.

Speakers

Alyssa Miller

Application Security Advocate, Snyk

Danny Grander

CSO / Co-founder, Snyk

Wednesday October 21, 2020 19:40 - 20:10 BST
Process & Culture Track

Talk

19:45 BST

Datadog Security Monitoring

Wednesday October 21, 2020 19:45 - 20:00 BST
Demo Track

Demo

20:10 BST

License to chill: Staying license compliant with Snyk

Developers prefer to use open source libraries because it enables them to develop faster while also reducing functional and operational risks. Popular ecosystems continue to show double-digit adoption rates, with npm leading the pack with 33% growth in 2019. More than 96% of applications include open source code and over 80% of a typical application's code is open source.

Before including an open source package as a dependency in their application, developers examine its functionality, popularity, and overall maintenance, but licensing is often ignored. That needs to change. Open source packages are free but do not come without a cost. Their licenses contain various stipulations and requirements, dictating how the code can be used and distributed. Not complying with these terms can end up with you and your organization facing litigation and suffering from reputation loss. Not convinced? The $100M lawsuit against Panasonic for violating a GPL 2.0 license is a good example.

In this session, you will learn about Snyk's own journey of managing and complying with the open source licenses for the software our development team uses—from a small startup with no particular compliance strategy to a leader in open source security and compliance, enabling other organizations to develop fast while staying secure AND compliant.

Speakers

Stephanie Dominy

General Counsel, Snyk

Ariel Ornstein

Director of Product, Ecosystems, Snyk

Benji Weber

Director of Engineering, Snyk

Wednesday October 21, 2020 20:10 - 20:40 BST
Product Track

Product

20:10 BST

Hackers don't wear hoodies, they wear capes

1 out of 4 hackers don’t submit vulnerabilities due to the fear of out-of-date legislation, press coverage, and companies misdirected policies. This fear is based on socially constructed beliefs. This talk dives into the current landscape hackers are facing and what are the steps to improving it.

Speakers

Chloé Messdaghi

Vice President of Strategy, Point3 Security, Inc

Chloé Messdaghi is the VP of Strategy at Point3 Security. She is an InfoSec Advocate & Activist who strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to fight for hacker rights... Read More →

Wednesday October 21, 2020 20:10 - 20:40 BST
Process & Culture Track

Talk

20:10 BST

Securing Kubernetes in a ever changing ecosystem

As the cloud has conquered the world, along with the adoption of Kubernetes and other cloud-native technologies. This trend is creating organizations concerns over the security of their application containers as it changes the attack surface and the traditional application security approach has limited value. In this talk I will share thought leadership and real life examples on the prescribed best methods and technology in the ecosystem that are necessary to meet the constant changing needs of the business as we shift to a Container World.

Speakers

John Forman

Director; Master Technology Architect, Accenture, LLC NA

John T. Forman is a Director; Master Technology Architect and serves as the Global Anthos/Kubernetes lead for Accenture Cloud First. John has a passion for Cloud Native technologies and along with being a hands-on practitioner, he serves as a SME for Open Source, the Metaverse, DevSecOps... Read More →

Wednesday October 21, 2020 20:10 - 20:40 BST
Technology Track

Talk

20:50 BST

Multi-threaded Drum & Bass : Live Coding Music with Sonic Pi

Sonic Pi is a free code-based music creation and performance tool that targets both education and professional musicians. It is possible for beginners to code fresh beats, driving bass lines and shimmering synth riffs. All this whilst teaching core computer science concepts such as sequencing, functions, variables, loops, data structures and algorithms.

In this discussion and performance we’ll briefly cover its history before taking a deep technical nose dive into some of the core technical innovations which enable powerful, live expression of music. We’ll explore Sonic Pi’s novel internal technologies which enable it to rhythmically synchronise concurrent threads (to the beat), deliver thread-safe deterministic randomisation and the power of representing state in its internal totally-ordered event-store.

Speakers

Dr Sam Aaron

Research Associate, Sonic Pi

Dr Sam Aaron is the creator of Sonic Pi, an internationally renowned live coding performer, public speaker and science communicator. Sam has a PhD in Computer Science and held a research position at the University of Cambridge Computer Laboratory where he initially developed Sonic... Read More →

Wednesday October 21, 2020 20:50 - 21:50 BST
Main Track

Happy Hour

14:20 BST

The Developer Desktop - Part 2 - Building Secure Containers with Snyk

In the session, Snyk will show how to build Docker container images, test for vulnerabilities and remediate utilizing Snyk developer tools.

Speakers

Clinton Herget

Solutions Engineer, Snyk

Thursday October 22, 2020 14:20 - 14:35 BST
Demo Track

Demo

14:20 BST

The Impact of DevSecOps Quantified

What if I could tell you the three application security practices whose adoption would most lower risk? What if I could also quantify the impact that each practice would have on your outcomes? Imagine being able to focus your entire organization (and your limited budget) on these three things rather than have your efforts spread across dozens of practices. Imagine how different the conversation with engineering teams and budget approvers will be if you can present research that shows just how important these three things are compared to other things you could invest in.

This talk is a presentation of research that quantifies the impact that various DevSecOps software security practices have on security risk outcomes. We have data from 200 different teams in the technologically and process diverse environment inside Comcast. We've tracked this data over time as teams have adopted practices like secure coding training, threat modeling, pen testing, SAST/IAST/SCA tool usage, security code review, etc. We have then correlated outcomes like network vulnerability to not only determine which practices have the most impact but to quantify how much of an impact each has.

Speakers

Larry Maccherone

DevSecOps Transformation, Contrast

Larry Maccherone is an industry-recognized thought leader on DevSecOps, Lean/Agile, and Analytics. He currently leads the DevSecOps transformation at Comcast. Previously, Larry led the insights product line at Rally Software where he published the largest ever study correlating development... Read More →

Thursday October 22, 2020 14:20 - 14:40 BST
Main Track

Keynote

14:35 BST

Securing Your Container Build Pipeline

In this session, Snyk will demonstrate how to build a secure CI/CD pipeline for containerized applications and prevent container vulnerabilities from reaching production.

Speakers

Clinton Herget

Solutions Engineer, Snyk

Thursday October 22, 2020 14:35 - 14:50 BST
Demo Track

Demo

14:40 BST

Connections and Intersections between Resilience Engineering and Security

The interdisciplinary field of Resilience Engineering is over 20 years old, even though it's only recently come into contact with the online software world. I'll describe this critical field, lay out some of the few connections that have been made to security in software-centered environments, and suggest some directions this community might go in to pragmatically move these connections and concepts forward.

Speakers

John Allspaw

Founder and Principal, Adaptive Capacity Labs

John Allspaw has worked in software systems engineering and operations for over twenty years in many different environments. John's publications include the books The Art of Capacity Planning (2009) and Web Operations (2010) as well as the forward to "The DevOps Handbook." His 2009... Read More →

Thursday October 22, 2020 14:40 - 15:00 BST
Main Track

Keynote

14:50 BST

Monitoring Container Images in Your Production Environment with Snyk

In this session, Snyk will show how to monitor the container images in your production environment for vulnerabilities, via the container registry, Kubernetes integration and OpenShift operator.

Speakers

Clinton Herget

Solutions Engineer, Snyk

Thursday October 22, 2020 14:50 - 15:05 BST
Demo Track

Demo

15:00 BST

Host Like Your Planet Depended On It

The cloud, machine learning, cryptocurrencies. We all know data centers use a lot of power. We're not a million miles from the aviation industry. So, what are we doing about it? The cloud providers are literally a decade apart on their progress. Who's winning? What does carbon neutral, carbon zero, and carbon negative mean? Do they have a plan and do you?

Speakers

Anne Currie

WorkingPrograme, CEO

25+ years in tech as an engineer, senior manager, startup founder, green tech campaigner. Leadership team @ Green Software Foundation.Published 7 scifi novels in the Panopticon series: Utopia Five, Conundra, Denizen 43. Dystopia X, Mars Insurgent, Heliotrope, Death Ray.Co-organised... Read More →

Thursday October 22, 2020 15:00 - 15:20 BST
Main Track

Keynote

15:30 BST

SnykCon Keynote & Fireside Chat with Adrian Ludwig, CISO, Atlassian

Snyk CEO Peter McKay will welcome you back to SnykCon with a discussion of the modern security ecosystem highlighting key partners and integrations.

Snyk VP of People Dipti Salopek will share an update on Snyk’s commitment to social good amongst the communities in which we live and operate.

In the second half of the Keynote, we are excited to bring Adrian Ludwig, CISO at Atlassian, into a 1-1 discussion with Snyk co-founder Guy Podjarny to talk about what he is seeing in the modern security market, how his team is structured to keep up with the pace of devops today and how he sees Atlassian’s role in helping developers embrace security.

Speakers

Guy Podjarny

Founder, Snyk

Peter McKay

CEO, Snyk

Dipti Salopek

VP of People, Snyk

Adrian Ludwig

CISO, Atlassian

Thursday October 22, 2020 15:30 - 16:30 BST
Main Track

Keynote

16:30 BST

Snyk Infrastructure as Code - Testing via the CLI in your SDLC

Snyk's new Infrastructure as code is an innovative solution to quickly test Kubernetes deployment files and Terraform files via the Snyk CLI!

Speakers

Ron Tal

Senior Software Engineer, Snyk

Thursday October 22, 2020 16:30 - 16:45 BST
Demo Track

Demo

16:40 BST

Laugh Lunch Learn

Amidst the anxiety, social distancing, face masks and long queues, it can be hard to see the light at the end of the tunnel. This short session will bring the laughs, smiles, and virtual positive vibes needed to relieve stress, boost moods, and build community. Infused throughout the humor is a simple strategy for maintaining a sense of humor (and sanity) during the pandemic.

Speakers

Andrew Tarvin

World's first Humor Engineer, Humor That Works

Andrew Tarvin is the CEO of Humor That Works, a leadership development company that teaches professionals how to use humor to achieve better business results. He has partnered with top organizations–including IBM, the UN, and the FBI–to solve human challenges with humor solutions.A... Read More →

Thursday October 22, 2020 16:40 - 17:10 BST
Main Track

Happy Hour

16:45 BST

Snyk Infrastructure as Code - Monitoring via Source Code Management Integration

The presenter will show onboarding and monitoring infrastructure as code via the Snyk web interface and source code management integration.

Speakers

Rick Harp

Solutions Engineer, Snyk

Thursday October 22, 2020 16:45 - 17:00 BST
Demo Track

Demo

17:00 BST

Governance - Security and Licence Policies

Snyk has introduced Security and License Policies for Snyk Pro and Enterpise customers. Learn how to utilize these features in this session!

Speakers

Paul Harland

EMEA Solutions Engineer, Snyk

Thursday October 22, 2020 17:00 - 17:15 BST
Demo Track

Demo

17:15 BST

From Control to Collaboration: Democratizing Security

The industry is still building security based on an outdated model. Where enterprises used to purchase, issue and manage the means of computing, now we need to distribute security to mobile users globally. How do we adapt? We have to change hearts and minds as well as technologies. Democratizing security means thinking differently about the people we serve. Users are not “the weakest link”; they are powerful industry drivers. We have to give up the beliefs and control we once held as unquestioned. It’s time for radical change.

Speakers

Wendy Nather (wendy0)

Head of Advisory CISOs, Cisco

Wendy Nather leads the Advisory CISO team at Cisco. She was previously the Research Director at the Retail ISAC, and Research Director of the Information Security Practice at 451 Research. Wendy led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation... Read More →

Thursday October 22, 2020 17:15 - 17:45 BST
Main Track

Keynote

17:45 BST

Organizing Your Projects at Scale using Snyk

Best practices for organizing and how to make the most of it for reporting.

Speakers

Shawn Miller

Sr. Solutions Engineer /Enablement Lead, Snyk

Omri Negri

Customer Success Team Manager, Snyk

Thursday October 22, 2020 17:45 - 18:00 BST
Demo Track

Demo

17:55 BST

How to prioritize your vulnerabilities

Making security issues visible to your team is the first step in making your software more secure, but if teams are overwhelmed by the number of issues, they’re going to find it hard to know what to tackle first. It’s not a simple case of tackling the issues with the highest severity if you have thousands of high severity issues.

Snyk has been working on a number of features to help your teams prioritize their most critical issues.

This session will share all the different criteria that Snyk uses to prioritise issues, and how you can tailor that prioritisation so it maps to what your organization cares most about.
Takeaways

This session will give you an insight into how other companies are effectively whittling down their backlog of existing issues, while addressing new ones, and how Snyk is helping them do this.

You’ll see how other companies prioritize their issues, helping you determine what strategies will be the most effective in reducing your organization’s risks.
You’ll learn about the formulae that determines how Snyk ranks vulnerabilities, and what options are available to you to change the priority of issues, so that your teams are always tackling what your organization determines to be the most critical issues within your SLAs.

Speakers

Anna Debenham

Director of Product, SDLC Group, Snyk

Thursday October 22, 2020 17:55 - 18:25 BST
Product Track

Product

17:55 BST

Deployment speed and security can live together

It is generally acknowledged that keeping up with DevSecOps while scaling up a company headcount comes with its share of issues and headaches. How do you keep on improving your velocity without compromising your security?

At Coveo, we come from a culture that encourages diversity, both in the technology we use and the workforce we hire. This means that you can have a microservice architecture running in the cloud composed of Java backend application, a Typescript frontend, .Net Core crawling services, Go servers and Python lambdas, all working together in harmony across a global infrastructure to provide relevance and efficiency to our clients.

Deploying such a varied ecosystem, while embracing the shift-left philosophy, is challenging, and forced us to innovate on new tools for our developers to succeed. We needed a system to package the builds, validate them for functionality and security, and deploy the application in our different environments while maintaining security and velocity. Thus was born our Deployment Pipeline with Snyk built into the core of it.

Join us to learn about our journey that ultimately made us more reliable, more efficient, and more secure.

Speakers

Jean-Alexandre Beaumont

Security Engineer, Coveo

Part-time pentesting, part-time assessing compliance, full time focusing on Security, Jean-Alexandre spends his time living the CoveoLife in Quebec, Canada.

Alexandre Emery

Cloud Platform Product manager, Coveo

Passionate about the ever evolving software world and focused on building great products tailored to the customer's reality. An intellectual interest in software development as well as in business coupled with a need to always keep on learning all lead me to the product management... Read More →

Thursday October 22, 2020 17:55 - 18:25 BST
Technology Track

Talk

17:55 BST

Enable Visibility for SecOps While Reducing Build and Runtime Application Security Risks

Cloud native application development has a wide range of advantages from boosting development efficiencies through technology and automation, to faster and more direct deployment communication and management.

DevOps introduced benefits to the application infrastructure, empowering engineers to move quickly and deploy apps more resourcefully. However, DevOps has also brought a new range of risks, to hybrid cloud platforms and application development.

Join me as I explain how I helped a top Brazilian bank, enable security for their cloud environments, serverless compute, and Kubernetes services allowing for streamlined protection. In this session, you will see a demo and learn how to reduce security risks and improve visibility across your containerized web applications.

Speakers

Amanda Veras

Solutions Architect, Trend Micro

Thursday October 22, 2020 17:55 - 18:25 BST
Process & Culture Track

Talk

18:00 BST

Utilizing the Snyk Api

The presenter of this session will walk you through authenticating, then using the Snyk API.

In this session, common use cases and patterns will be discussed by a Snyk Developer!

Speakers

Nir Fuchs

Director Of Engineering, Snyk

Thursday October 22, 2020 18:00 - 18:15 BST
Demo Track

Demo

18:15 BST

Successfully Rolling Out Snyk at the Enterprise Level

Snyk Customer Success managers will discuss successful rollout strategies for Enterprises of various sizes that will ensure success.

Speakers

Andrew MacKenzie

Enterprise Customer Success, Snyk

Andre Lajter

Enterprise Customer Success, Snyk

Thursday October 22, 2020 18:15 - 18:30 BST
Demo Track

Demo

18:25 BST

Securing containers directly from Docker Desktop

Docker changed the way applications are built and helps developers simplify their workflows by integrating containers into the dev pipeline. Docker makes development and testing faster and fits well in DevOps practices, but containers require application teams to handle additional aspects of application security. In containers, developers are now responsible for system configuration and security - traditionally the realm of dedicated system administrators. This new accountability together with the pace in which new vulnerabilities are published and need to be addressed, has the potential to undo the speed benefits that come with Docker and containers..

Docker and Snyk have teamed up to solve this challenge. With the new Snyk <> Docker integration, container owners can now use a simple docker scan <image-name> command and get early visibility into vulnerabilities with the Docker CLI. The scan, powered by Snyk, provides you with not only the security issues, but also directs you to the exact place where you can fix them, without requiring you to track down each vulnerability individually.
This is partly due to one of the unique features of the Snyk-powered scan, which allows you to include the Dockerfile as part of the scan. Doing so not only helps you fix vulnerabilities much faster, , but can also present you with recommendations for alternative base images. These recommendations go hand-in-hand with Docker’s best practices to use minimal images, further helping you reduce security risks.

In this talk we will cover:

How to scan container images and get Snyk intel directly from Docker Desktop
The different use cases for using `docker scan` in your pipeline
How you can integrate Snyk and Docker for continuous integrated security scanning, in your command line and throughout the SDLC

Speakers

Justin Cormack

CTO, Docker

Justin is the CTO of Docker, a Notary maintainer, and a member of the CNCF TOC. He has been working with containers and in the security space for many years.

Danielle Inbar

Product Manager, Snyk

Thursday October 22, 2020 18:25 - 18:55 BST
Product Track

Product

18:25 BST

Secure by Design - coding patterns

Speakers

Dan Bergh Johnsson

Dan Bergh Johnsson is an agile aficionado, Domain Driven Design enthusiast, and code quality craftsman with a long time interest in security. The combination made Dan use quality practices from DDD to address application security issues - thus being one of the founders in the field... Read More →

Thursday October 22, 2020 18:25 - 18:55 BST
Technology Track

Talk

18:25 BST

Why are there no incentives for security in Open Source?

Open Source has both “won” and “lost” at the same time. Every company in the world leverages Open Source Software (OSS) to build products. However, every software is vulnerable, and OSS is no exception. Yet, despite the strong incentive for companies all over the world to discover and fix them, the majority use open source without paying for it.

Security scanners allow companies to discover vulnerable OSS they depend upon, but those vulnerabilities should also be fixed. While there are some incentives in discovering security vulnerabilities via bounty programs, there are none to fix them. A typical email to an OSS maintainer is more like a threat: if you do not fix it in the next month or so, I am going to make this public.

In Node.js we have experimented with a public bounty program with https://github.com/nodejs/security-wg, and several companies sponsor full-time researchers to discover vulnerabilities. However, the OSS maintainers receive no compensation for their time in fixing the vulnerability. How can we solve this conundrum?

Speakers

Matteo Collina

Chief Software Architect, NearForm

Matteo is the Co-Founder and CTO of Platformatic.dev. He is also a prolific Open Source author in the JavaScript ecosystem and modules he maintain are downloaded more than 12 billion times a year. Previously he was Chief Software Architect at NearForm, the best professional services... Read More →

Thursday October 22, 2020 18:25 - 18:55 BST
Process & Culture Track

Talk

18:35 BST

CircleCi Demo

Thursday October 22, 2020 18:35 - 18:50 BST
Demo Track

Demo

18:50 BST

Open Source Visibility - Bridging Dev and SecOps

Across an organization’s application composition footprint, security practitioners are trying to understand the scale and scope of open source code vulnerabilities. With organization friction and a misalignment of tools, Security operations teams find it difficult to understand and secure those areas of the business that they don’t have visibility into, while development teams struggle with properly identifying code-based threats that might impact their applications. Together how can both teams address these challenges and prioritize critical security risks?

Join Snyk, the leader in developer first security, and Trend Micro the leader in cloud security as they discuss how to bridge this divide with greater visibility and a centralized viewpoint. By helping security teams ensure that visibility as well as the proper guardrails are in place, and empowering developers to prioritize security fixes early in their build cycle, both teams can maintain control of their pipeline and application security responsibilities.

Speakers

Geva Solomonovich

CTO, Global Alliances, Snyk

A Business-focused Technology Executive, with vast experience in Fin-tech, Payments, Fraud and Risk Management. My experience spans from Fortune 500 companies, to building startups from scratch, to being acquired by PayPal and featured as the headline story in the book "Start-Up Nation... Read More →

Wendy Moore

VP Product Marketing, Trend Micro

Thursday October 22, 2020 18:50 - 19:05 BST
Demo Track

Demo

18:55 BST

DevSecOps for Platform Teams: A Discussion on Making It Easy to Do the Right Thing

We all know that security is everyone's responsibility, but with increasing complicated application cloud-based platforms being built it is not always obvious who is responsible for what. For example, how can leaders encourage developers to think about security and key integration points between the apps and the platform; and how can platform engineers make it easy for development teams to do the right thing in regards to security?

Join this panel session to learn from platform builders and teams leaders about DevSecOps for the modern platform:
- Katie Gamanji, Cloud Platform Engineer @American Express | TOC @CNCF
- Mario Platt, VP Head of Information Security at CloudMargin
- Melissa Benua, Director of Engineering at mParticle

Topics to be discussed:
- Key technologies, practices, and processes in relation to implementing security within a cloud platform (and how to prioritize them)
- How to balance dev and ops responsibility for platform security
- How security relates to observability (and understandability)
- How developers can get started with learning about platform security
- Common Kubernetes security gotchas

Speakers

Daniel Bryant

Head of DevRel, Ambassador Labs

Daniel Bryant works as a Product Architect at Datawire, and is the News Manager at InfoQ, and Chair for QCon London. His current technical expertise focuses on ‘DevOps’ tooling, cloud/container platforms and microservice implementations. Daniel is a leader within the London Java... Read More →

Thursday October 22, 2020 18:55 - 19:25 BST
Process & Culture Track

Panel

18:55 BST

Fixing the cost of fixing - the road to zero vulnerabilities

As applications become more complex and use ever more dependencies, vulnerabilities pose a growing risk and staying on top of them becomes a harder job. The average project has over 20 vulnerabilities when first imported into Snyk. Given that developers are owning more of the software development lifecycle than ever before, it’s no wonder than ~54% of organizations end up knowingly deploying vulnerable code into production.

Prevention isn’t enough, and while a leading database allows you to find and avoid many vulnerabilities, there’s a pressing need to reduce the backlog of vulnerabilities that either existed before you started scanning a project, or are later found in already deployed code.

To help development and security teams prevent and fix vulnerabilities in the most efficient way, security solutions must provide the following key ingredients:

Accurate, timely and comprehensive vulnerability intelligence/detection
Simple and easy-to-use interfaces
Automated remediation workflows

This session will demonstrate how Snyk combines these three ingredients to help organizations reduce the effort and planning required to get, and stay, as close to zero vulnerabilities as possible. Snyk does this with automated PRs to keep dependencies up to date, fix newly found vulnerabilities, and address the backlog of vulnerabilities.

Takeaways

Following this session, participants will have a deeper understanding of Snyk’s active remediation functionality. This will enable them to not only fix newly discovered vulnerabilities, but also reduce the backlog of vulnerabilities that most projects have. As well as this, they’ll know what they can do to stay up to date, helping them avoid deploying new vulnerabilities and simplifying future vulnerability fixes.

All of this is possible in a developer focused way, that automates away the need for time-intensive planning required in order to manually track what has been fixed and what should be fixed next. It eliminates a large part of the developer effort required to raise pull requests, allowing the developers to review and apply changes in tools that they are already familiar with, and use daily.

Speakers

Dan Mckean

Product Manager, Snyk

Product Manager at Snyk looking after teams concerned with freemium, user acquisition, user success and onboarding, and conversion to paid plans. As well as helping our users to be more successful with remediation. Talk to me about any of those things!

Thursday October 22, 2020 18:55 - 19:25 BST
Product Track

Product

18:55 BST

Do you accept the risk? Dynamic risk metrics in your environment.

Risk management is relatively new to the security industry but in reality insurance teams, government, and finance have been using risk assessments to make decisions for years. In this talk we’ll demonstrate how to apply classical risk management concepts to modern DevOps practices. You’ll learn how to communicate across your organization using a standard vocabulary to calculate risk at a service level, then see a demonstration of how to dynamically calculate and increase risk levels using Security Scores.

Speakers

Daniel Maher

Developer Relations, Datadog

Dan is a veteran of the original dotcom bubble and has since worked in a variety of environments from start-ups to global corporations, including a stints as a founder, university lecturer, and a day labourer. Today, Dan is a member of the Devopsdays global team and the Community... Read More →

Andrew Krug

Security Evangelist, Datadog

Andrew Krug is a Security Engineer specializing in Cloud Security and Identity and Access Management. Krug also works as a Cloud Security consultant and started the ThreatResponse project a toolkit for Amazon Web Services first responders. Krug has been a speaker at Black Hat USA... Read More →

Thursday October 22, 2020 18:55 - 19:25 BST
Technology Track

Talk

19:25 BST

Disclosing security vulnerabilities: If You’re Good at Something - Never Do it for Free

A humorous take on this problem

Speakers

Anna Manley

Principal, Manley Law Inc.

Anna Manley is an internet and privacy lawyer based in Sydney, NS. She is the principal of Manley Law Inc. and founder of Advocate Cognitive Technologies Inc. Anna advises companies and individuals on all things law and tech related.

Thursday October 22, 2020 19:25 - 19:30 BST
Main Track

Lightning Talk

19:30 BST

Why can't we simply add a button that does X?

How hard is it to add feature Y, and why does it take so long? These are questions engineers need to handle regularly. Often, people without the appropriate skill set question the answer supplied by the engineers.

If we build a physical structure, we all understand that we cannot endlessly build new things on top of the existing parts. w However, when building software, we magically expect we do. We made it an art to build crapy software and still make it look shiny on the outside.
Making the impossible work with minimal resources is a great accomplishment by our engineers. But what if ...
Let me show you how all of us make the same mistake over and over again.

Speakers

Brian Vermeer

Snyk

Developer Advocate for Snyk and Software Engineer with over 10 years of hands-on experience in creating and maintaining software. He is passionate about Java, (Pure) Functional Programming and Cybersecurity. Brian is an Oracle Groundbreaker Ambassador, Utrecht JUG Co-lead, Virtual... Read More →

Thursday October 22, 2020 19:30 - 19:35 BST
Main Track

Lightning Talk

19:35 BST

Are You a Security Sherpa, or a Security Bully?

Learn how being a guide to your organization is more beneficial in the long-run than mandating controls. These concepts and techniques allow you to shift security left, and reduce overall risk.

Speakers

Dan Tyrrell

Manager of Information Security, AcadiaSoft

Dan Tyrrell is the Manager of Information Security for AcadiaSoft, a global FinTech firm. He works across business functions to ensure continual improvement of security controls and regulatory compliance. Hobbies include spending time with family, martial arts, and motorsports... Read More →

Thursday October 22, 2020 19:35 - 19:40 BST
Main Track

Lightning Talk

about Dan Tyrrell has held various management positions in the information security field, ranging from Lead Engineer to Director of Information Security, for the last 5 years. In that time he has learned by doing, always willing to fail fast, and apply fresh concepts to unique problems. Dan holds a handful of industry certifications, but prefers to learn by doing. When not focusing on Information Security, Dan likes to spend time with his wife and two daughters, read, and practice martial arts.

19:40 BST

Ain’t no mountain high enough: Scaling security with Snyk

Growth is a great feeling! Whether it’s plants in the garden, dough rising, or increasing the number of developers and teams that are building applications and services in your organization - you can’t help but love seeing things grow.

However, growing without the right tools to support your scaling needs can open you up to newsworthy security risks in your organisation. These risks range from malicious users being where they shouldn’t, crippling vulnerabilities drowned in a sea of less severe issues, or having to pull the shutters down because you’re no longer compliant with industry standards.

With our largest customers managing hundreds of organisations, thousands of developers, and hundreds of thousands of projects, Snyk is devoted to ensuring these customers are successful at this scale.

In this session I’m going to cover:

What “scale” means for enterprises, and the common security issues that appear with it such as authorization gaps, incorrect prioritisation of issues, and blindspots with legal compliance
How Snyk helps customers work at this scale, while promoting developer adoption for Open Source Security
A deep dive into some features in Snyk which help support specific scaling needs such as the Snyk API, Project tagging, Project Attributes, and Policies

Takeaways

Learn how large enterprises identify and remediate major security issues when scaling with minimum disruption
Learn the tools and strategies you can leverage to improve developer adoption of security tools and policies as organizations scale
Learn how to use key capabilities within Snyk such as the API, tagging and attributes, and Snyk Policies

Speakers

Simon Wilkins

Application Security Analyst, Overstock

Worked in Application Security for the last 4 years.Automation is everything!While i come from a development background, i like to use those skills to provide automation for collegues and development teams to make everyone's life easier.Security is hard, lets not make it any harder... Read More →

Waleed Arshad

Product Manager, Snyk

I have experience in integration middleware and dealing with issues that users face when they scale their organisations! Feel free to say hi about any of those things, or anything else like Chemistry or baking :)

Thursday October 22, 2020 19:40 - 20:10 BST
Product Track

Product

19:40 BST

Securing Front-end Attack Surfaces

Do security vulnerabilities exist in modern front-end frameworks like Vue, React or Angular? We'll take a look at attack vectors on the front-end and realize that XSS is still very much a real concern when building modern front-end applications. We'll talk about workflows and tools to help bring front-end security to front-end developers and the risks of open source and JavaScript's supply chain security from dependencies to the edge.

Speakers

Eric Graham

Vp product management, Akamai Technologies

Liran Tal

Developer Advocate, Snyk

Thursday October 22, 2020 19:40 - 20:10 BST
Technology Track

Talk

19:40 BST

Utilizing Dojos to Instill a Culture of DevSecOps

Dojos offer an immersive learning opportunity that cultivates real cultural change and focuses on the new practices and technologies needed to achieve a specific DevOps-oriented goal or capability. Whether your goal is to shift security left in the SDLC or implement automated security enablers the fun and easy part is always the technology, organizations often struggle with or even forget about the most critical parts of the DevOps transformation - the People and Culture.
Description

The Dojo solves this problem by gathering the entire team (Product, Development, Testing, Security, Risk, etc.) in a physical/virtual learning space where teams can form habits of collaboration, trust, and transparency in a new way of working. In these hands-on, interactive sessions, teams learn how to work together more effectively to accelerate software delivery. This “learning together” mindset cultivates empowerment and shared responsibility, enabling individuals to accomplish their goals while working as a unified team that drives towards better, faster, more secure, and higher-quality outcomes.

Speakers

Eric Chapman

Technical Principal, Liatrio

Eric Chapman is a Technical Principal at Liatrio, helping our clients deliver software faster and safer. With a background in software development, he has spent the past 20 years architecting, building, and enabling software systems for large complex organizations ranging from US... Read More →

Thursday October 22, 2020 19:40 - 20:10 BST
Process & Culture Track

Talk

20:10 BST

Patterns for secure container base image management

Lots of organisations maintain a set of internal container base images. This allows for some centralisation of decision making (which base operating system should we use? What language runtimes do we support?) and provides a single place where security hardening and low-level patches can be applied.

But how do you ensure development teams are using the up-to-date base image? And from the development team perspective how can we make using the central base images a better developer experience?

In this talk we will:

Look at a few patterns for better base image management
Discuss the pros and cons involved in having central base images for your organisation, in particular around communicating change and determining ownership of issues
Talk about the role build files like Dockerfile play in helping manage usage of base images
Show a few demos of tools, including Snyk, Open Policy Agent and GitHub Actions, that can help you securely manage your base images

Takeaways
All attendees should come away from the session with some practical ideas they can put into practice straight away, whether they already have a central base image programme or not.

For teams responsible for managing a set of base images for an organisation we’ll talk about:

The problems you might be trying to solve by having your own base images, like being about to triage issues once and reduce operational complexity
Why development teams might not buy in and what to do about it

For development teams building applications we’ll look at:

Why having someone else managing base images for you can be a good thing
Ways of making the security boundaries between teams clearer

And for security teams responsible for assuring the final images and the process around building them we’ll discuss:

How you can measure this effort across lots of teams and lots of images.
How to engage development teams in the process

Speakers

Gareth Rushgrove

Director of Product, Cloud Native, Snyk

Director of Product Management at Snyk. Developer, designer, occasional sysadmin. Infrastructure and open source geek. Curator of Devops Weekly.

Thursday October 22, 2020 20:10 - 20:40 BST
Product Track

Product

20:10 BST

Navigating DevOps Security journey at Scale using OWASP SAMM 2.0

OWASP SAMM (https://owaspsamm.org) is the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company risk profile, organizational structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance will have a significant impact on the organization. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements.

OWASP Software Assurance Maturity Model (SAMM) gives you an effective and measurable way for all types of organizations to analyze and improve their software security posture in 3 levels of maturity - thus creating a step-by-step software assurance navigation plan. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization. In this talk, we give an overview of the new release of the SAMM model. After 10 years since its first conception, it was important to align it with today’s development practices.

We will cover a number of topics in the talk:
(i) core structure of the model, which was redesigned and extended to align with modern development practices,
(ii) measurement model which was setup to cover both coverage and quality
(iii) the new security practice streams where the SAMM activities are grouped in maturity levels.

We will demonstrate the new SAMM2 toolbox to measure the maturity of an example DevOps team and how you can create a roadmap of activities.

Speakers

Hardik Parekh

Senior Director, Head of Product & Application Security

Hardik Parekh is recognized thought leader and executive in product security domain with hands-on contributions to SANS CWE Top 25, OWASP SAMM, BSIMM 1.0 to BSIMM 9; and SAFECode. Hardik is part of the core team which developed OWASP SAMM 2.0.Hardik has 16+ years of hands-on security... Read More →

Thursday October 22, 2020 20:10 - 20:40 BST
Process & Culture Track

Talk

20:10 BST

Product Security Automation at Asurion

Using a developer-first toolkit has been key to Asurion's growth and our ability to scale Security to meet the growing demands of our Product teams. While we continue to hone our craft it's important that we use the best-of-breed tools to provide developers with actionable information, information that helps mitigate risk early in our development lifecycle. Listen in as we share how we use Snyk as part of this toolkit to identify risk, potentially break builds and ship needed information to a SIEM for visualization by executives and by the SOC.

Speakers

Jeremy Young

Principal Security Engineer, Asurion

I thought I'd be forecasting tropical weather systems by now but turned my weather modeling experience into a Linux admin role out of school. Security is where my passion is. I'm in a lucky role where I can split my time between penetration testing and using my experience on DevOps... Read More →

Thursday October 22, 2020 20:10 - 20:40 BST
Technology Track

Talk