Keynote
Christoph Kern
Software Engineer, Google
Christoph Kern is a software engineer in Google’s Information Security Engineering organization, whose goal is to keep Google’s products secure and users safe. Within this larger organization, he works with a team of security engineers to prevent security defects in Google’s applications and services through framework, API, and platform design.
9:15 am, Monday, September 25, 2017
Secure Design: A Better Bug Repellent
A step towards addressing this unsatisfactory state of affairs is to change focus from chasing down instances of implementation-level defects and vulnerabilities, and instead treat the mere potential that a particular type of defect could exist as a design flaw at the application architecture and frameworks level.
Over the past several years we have developed design patterns that, when applied to application architecture, API and framework design, do indeed result in a drastic reduction if not elimination of the potential for certain types of defects to occur in application code.
This talk will briefly summarize our perception of the limitations of traditional approaches to software security. We will then give examples of secure design patterns we have developed, and discuss how we were able to apply them at scale to frameworks and APIs that form the basis of Google flagship products such as GMail, Docs, Search, G+ and many others.
Francesco Logozzo
Theoretical & Experimental Static Analysis Expert, Facebook
Francesco is a Software Engineer in the Detection and Security Infrastructure team at Facebook. He has developed industrial static analyzers at Facebook and Microsoft. He has published more than 40 research papers in venues such as POPL, PLDI, and OOPSLA. He served in more than 20 program committees. He was invited to give invited speeches in both Industrial and Academic venues. He holds a Ph.D. in Abstract interpretation from Ecole Polytechnique, obtained under the supervision of Dr. Radhia Cousot.
1:15 pm, Monday, September 25, 2017
Defense-in-Depth at Facebook with Static Analysis
In this talk, I will discuss a static analyzer that we built to surface potential security and privacy issues in the facebook.com codebase. We have developed a bottom-up, inter-procedural, abstract interpreter that focuses on security issues that are difficult to prevent using the type system (i.e., Hack) or secure libraries and frameworks. We designed the tool based on guidance from Facebook’s security engineering teams. When a new class of vulnerabilities is discovered, we evaluate whether it is amenable to static analysis. If that is the case, we prototype the new rule, refine it based on feedback from security engineers, and then evaluate the rule against the whole codebase. In some cases, we are able to generate a patch automatically. Concurrently, we run this tool on every code change, thus preventing the reintroduction of this type of issue.
I will also describe some of the advances in static analysis that enable the tool to scale to thousands of changes per day in a codebase that measures tens of millions of lines of code.
Eric Baize
Chairman, SAFECode; Vice President, Product Security, Dell EMC
At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity throughout the supply chain.
Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US.
Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager.
Follow Eric Baize on Twitter: @ericbaize
9:30 am, Tuesday, September 26, 2017
Scaling Secure Development by Changing the Software Culture Code