Event

DATE
November 05, 2015, 09:30 AM - 04:00 PM

TIME
09:30 AM

VENUE
AT&T Executive Education and Conference Center

Start with Security: Best Practices for Developers, Start-ups, and Innovators
November 05, 2015, 09:30 AM - 04:00 PM
Start with Security: Best Practices for Developers, Start-ups, and Innovators

Over the past several years the Federal Trade Commission (FTC) has emerged as the leading government regulator concerned with the problems that cybersecurity poses for the business community. Those problems are particularly acute for start-ups, and for that reason the FTC has launched a national initiative to assist both entrepreneurs and investors in understanding and rising to the challenge.

On November 5th at the AT&T Conference Center, the focus of that national conversation will be on the campus of UT-Austin, with a special emphasis on the challenges faced by app developers. UT's Robert Strauss Center for International Security and Law and the Center for Identity are partnering to host the FTC and an all-star collection of technologists, business executives, investors, and government officials for a day-long conference titled “Start with Security.” Speakers from Live Oak Venture Partners, Rapid7, HackerOne, RetailMeNot, Dell, National Instruments, Honest Dollar, Pearson, Signal Science Corp, KPMG Cyber, and others will address topics including:

  • Addressing common security vulnerabilities in apps
  • Adapting security testing for rapid-growth and continuous-delivery environments
  • Managing risks from third-party code and services
  • Overcoming development challenges that inhibit security
  • Using secure coding practices and secure frameworks
  • Taking a venture capital perspective on start-ups and security

Click here for more information and full agenda.
Lunch will be provided. The event is free and open to the public, but pre-registration is required.

8:30 am     Doors Open

9: 30 am    Welcome
                  Dr. Suzanne Barber
                  Director, Center for Identity, The University of Texas at Austin

Introductory Remarks
Dama Brown
Regional Director, Southwest Region, Federal Trade Commission

Opening Remarks
Terrell McSweeny
Commissioner, Federal Trade Commission

10:00 am

Panel 1: Starting up Security: Building a Security Culture: How can startups build a culture of security? Examining some of the most common design flaws and vulnerabilities found in applications today, this panel will explore how startups can model these threats, train their developers in secure coding practices, and use secure frameworks to help minimize their application security debt.

Lauren Riposo VanDruff of the Federal Trade Commission’s Division of Privacy and Identity Protection moderated the first panel, which addressed how start-up business could build a security culture within their company. Panelist Alan Daines, the Chief Information Security Officer for Dell, emphasized that it is important to develop a security culture from the top down. Panelist Josh Sokol, the Information Security Owner for National Instruments, stressed that anyone could develop a security culture by fulminating it among coworkers. Panelist Christophe Borg, the Vice President of Engineering Operations for RetailMeNot, discussed how encouraging competition within engineering teams could enhance the security of projects produced by the company. All the panelists agreed that it is much cheaper to build a security culture within a product’s development stages, as opposed to addressing security concerns just before releasing a product. Sokol discussed the importance of incorporating risk management strategies into a start-up’s security culture and introduced the tools that the Open Web Application Security Project provides to developers for free.

11:00 am    Break

11:15 am

Panel 2: Scaling Security: Adapting Security Testing for DevOps and Hyper-growth: How can startups test and review their applications for security when they are experiencing exponential user growth, hiring new engineers at a rapid clip, and shipping code on a weekly, daily, or even hourly basis? This panel will discuss how security testing can be automated and adapted for a world of continuous delivery in a high-growth startup environment.

Laura Berger of the FTC’s Division of Privacy and Identity Protection moderated the second panel, which addressed how start-ups can test and review the security of their products. Panelist Matt Johansen, Director of Security for Honest Dollar, discussed how vulnerabilities within technology products are resolved very slowly while attacks have increasingly shorter life cycles. He also stressed that many of the problems identified within products are never fixed. Panelist Matt Tesauro, Senior Software Security Engineer of Pearson, stressed the importance of frequent and efficient tests and not overwhelming employees with frequent and lengthy security reports. Panelist James Wickett, Engineer of Awesome at Signal Sciences Corp, indicated that security specialists are in a transition point in the technology industry and are becoming essential to producing an effective product. The panelists all discussed multiple free tests that are great starting points for start-ups, such as Guantlt, and strategies that are useful to begin designing testing sequences.

 

12:15 pm  Lunch Break

1:10 pm    Investing in Security: Fireside Chat with Co-founder of LiveOak Venture Partners Venu Shamapant

Moderator:

Commissioner Terrell McSweeny

1:30 pm

Panel 3: Third-party AppSec: Dealing with Bugs, Bug Reports, and Third-party Code: Out of the gate, third parties have big implications for startups’ security: Applications are comprised of third-party components; third-party services provide critical functionality; and before long, third-party researchers come calling with vulnerability reports about your own code. This panel will address how startups can manage risks from third-party code and services, and harness the security community’s work to improve their secure development lifecycle.

In the third panel, Jared Brown, from FTC's Division of Privacy & Identity Protection, moderated the panel of experts consisting of HD Moore (Chief Research Officer of Rapid7), Katie Moussouris (Chief Policy Officer, HackerOne), and Wendy Nather (Research Director, Retail Cyber Intelligence Sharing Center) on dealing with bugs, bug reports, and third party codes. They discussed the concerns of using third party software in their businesses such as how to vet third party software, how to manage it once it becomes integrated in to existing software, and how to keep it updated and useful. The panel also discussed the importance of opening up and maintaining a reporting system for vulnerability reports that is welcoming to the input of reporting individuals or groups.

2:30 pm      Break

2:50 pm

Panel 4: Beyond Bugs: Embracing Security Features: How can startups go beyond bug hunting to implementing security features? This panel will consider how startups can overcome development challenges, such as impacts on performance, to embrace security features — like site-wide SSL/TSL, Content Security Policy, and multifactor authentication — that can protect consumers from threats proactively and help eliminate entire classes of vulnerabilities.

Katherine McCarron, from FTC's Division of Privacy & Identity Protection moderated the final panel, which included experts Robert Hansen (Vice President of WhiteHat Labs), Claire Nelson (CEO of ClearMark Consulting), and Caleb Queern (Manager at KPMG Cyber). In this panel the importance of analyzing and utilizing security features such as Site-wide encryption, Multi-factor authentication, and content security policy were discussed. Small business owners need to understand what works and what does not work as far as using these security features and others, and the panel expressed an overall support for site-wide encryption and content security policy. The panel discussed that in some cases, multi-factor authentication will work and in others, it will not, but it is being constantly developed and in the near future may be a key security component in determining user authenticity.

3:50 pm    Closing Remarks