The third annual Security@ conference was a huge success. Hackers, thought leaders, and industry professionals gathered at the Palace of Fine Arts to share insights and break new ground.
Missed it? There’s always next year. In the meantime, here’s a recap so you can live vicariously.
Beyond the Security Experts
We kicked off the conference with a conversation between Phil Venables, Senior Advisor of Risk & Cybersecurity & Board Director at Goldman Sachs, and Bill Gurley, partner at Benchmark. Phil emphasized that security is too important to be left solely to security experts. Rather, security must be built into the entire software development lifecycle -- an idea that we at HackerOne fully endorse. Companies must continuously test their systems and work to build security into the architecture of their products.
Just about everyone in the security world is thinking about regulation, and Phil is no different. But Phil believes people may have underestimated the power of regulation. Rather than seeing it as an inconvenience, security professionals should partner with the government to help create effective, sensical regulations.
We picked up the theme of regulation later in the day with the panel “Advocating for Change.” Dr. Amit Elazari, director of global cybersecurity policy at Intel, interviewed three panelists to figure out what happens with security collides with policy: Patriick Coughlin, co-founder at TruSTAR, Cameron Dixon, public servant the newly-founded US Cyber and Infrastructure Security Agency, and Harley Geiger, director of public policy at Rapid7.
Despite businesses’ struggles to adapt to quick-changing policies -- and policymakers’ struggles to adapt to new technology -- our panelists were optimistic about the future. Patrick invites enterprise businesses to interrogate their culture around transparency and disclosure. And both Cameron and Harley urged businesses and individuals alike to reach out to policymakers to make their opinions, suggestions, and solutions known.
The World’s Best and Boldest Hackers
Our audience got to meet some of the world’s top hackers. Aki Ito, tech editor at Bloomberg, interviewed a panel of hackers who’ve earned over a million dollars on our platform: Tomy DeVoss, Santiago Lopez, and Nathaniel Wakelam. We got an inside look into why they hack (spoiler: the money is good and it’s fun to make the internet a safer place) and whether they get enough sleep (for Santiago, the answer is “not regularly”).
The hackers spoke highly of Verizon Media and other companies who know how to attract top talent. They cited Verizon Media’s quick payouts, streamlined guidelines for bounties, transparency, and consistency.
We also got to meet Jack Cable, the hacker who made headlines for hacking the Department of Defense when he was just seventeen. Jack shared his journey and his passion for taking things apart.
In a panel called “Hacking the Talent Gap,” we heard from four security experts who moonlight as bug bounty hunters: Pete Yaworski, appsec engineer at Shopify, Tanner Emek, appsec engineer at OneLogin, and Nathanial Lattimer, security engineer at Dropbox. The experts highlighted the interplay between bug bounty and their day jobs: an overlap in skills, technical know-how, and toolkits. Each of them talked about the importance of looking at bug bounty hunters as a talent pool for companies hiring in security.
Scaling Security 101
As we all know, scaling your security can be a major headache. Luckily, Security@ saw no dearth of experts who were eager to share their best practices. We heard from two experts from Salesforce -- Roy Davis, sr. product security engineer , and Emre Saglam, director of product security -- on how to use vulnerability trend analyst to uplift your entire security architecture.
The audience was also treated to a lightning talk from Pax Whitmore, an infosec engineer at PayPal. This was a valuable session for any company that’s struggled to streamline its bounty payouts. Pax discussed mapping CVSS scoring to payouts to make them fair and consistent.
In a panel called “Scaling Security from Startup to Unicorn,” we heard from a variety of security veterans whose companies experienced hypergrowth, and whose security didn’t suffer as a result: Kelly Ann, security engineer at Slack; Andrew Dunbar, VP of security engineering and IT at Shopify, and Aabhan Sharma, director of engineering at Postmates. The group agreed that it helps to start by hiring security generalists rather than specialists, and to secure buy-in by showing concrete ROI.
The panel commiserated on the struggles of running a tight ship. Fortunately, though, they brought up a number of free workarounds like open source software and low-cost solutions like bug bounty programs.
Our audience got to be the first to hear some exciting news from security’s best and brightest.
The Department of Defense officially announced that they have passed 11,000 bugs discovered through their HackerOne bug bounty program. Congratulations on this impressive milestone!
But that’s not all. Dan Gurfinkel, security engineering manager at Facebook, shared three major announcements. Staring on the day of Security@, Facebook is now accepting bugs found through active pentesting rather than passive observation. This is not only true for the site itself, but also for third-party apps that interface with Facebook. Facebook will now offer bonuses for native bugs, as well.
To emphasize the company’s ongoing commitment to bug bounty hunters and security researchers, Facebook has updated their terms of service. It now includes language that solidifies Facebook as a safe harbor for hackers who wish to report vulnerabilities. We congratulate Facebook on taking this crucial step toward making the internet a safer place.
That’s all for now. See you next year! #TogetherWeHitHarder