Traditional infosec research is typically viewed as solving hard technical problems with an offensive mindset. Major fruits of this labor, such as new vulnerabilities, attacks, or techniques, are most impactful when they violate existing assumptions about security of systems we rely on day-to-day.
In contrast, appropriate security and privacy is often perceived as an expectation rather than a new result, despite the evolving environment, lack of resources, and an always-adaptive attacker. Parts of computer security rest on solid scientific foundations such as cryptography. Most parts however are shakier and rest instead on heuristic and imperfect understanding driven by economic means. This talk will attempt to bridge the gap between offensive security researchers and defensive engineers in understanding the underlying processes of product security in a large organization.
I will share best practices of defending complex, large-scale consumer-facing systems and will reevaluate some common assumptions in the infosec industry. Attendees will come away understanding how defense can work at scale via secure-by-design principles and up-to-date product lifecycle realities.