Members of the Adobe product security team had the good fortune to attend LocoMocoSec this year in Lihue, Kauai. The perfect weather, beautiful beaches, and relaxed Hawaiian atmosphere helped to attract some top caliber speakers in the product security ecosystem – and the quality of the conference talks did not disappoint. I personally had the opportunity to speak to a great audience at the conference on the topic of “Tips & Tricks for Effective Vulnerability Management.”
Integrating security in a DevOps world was a common theme in a number of excellent talks on day one. “DevSecOps” is a term coined to capture security’s role in this new operating environment, and speakers from Microsoft and Signal Sciences shared best practices and ruminations on how security can both scale and sprint alongside high-performing engineering teams.
Managing the potential security risk of open source components (at scale) was the topic of several enlightening presentations on day two. As noted by speakers from Microsoft and BlackBerry, the security team needs to both empower engineering teams to make smart choices regarding the components they are introducing in their solutions, as well as define and enforce policies that govern out-of-date or unsupported external components. As Michael Scovetta said, “Open source software isn’t like a free Mai Tai; it’s like a free puppy.”
The day three highlight for me was a talk by David Lindner entitled “Have you adapted your appsec?”. David has decades of experience in product security and shared some of his best practices, including practical advice on how product security can evolve from a release blocker to adding value at every phase of the development lifecycle through tooling, assessments and user stories, among others.
This year’s LocoMocoSec was an excellent product security conference, and a unique opportunity to hear from practitioners with deep expertise in running product security programs at the hottest start-ups like Uber and Slack, as well as established behemoths like Microsoft and Google. Thanks to the organizers, volunteers and sponsors who made it happen!
Manager, Product Security Incident Response Team (PSIRT)