You've joined a startup building the next big enterprise unicorn. The product is delivered as javascript on all of your customers' websites. What could go wrong? The threat model of serving third party javascript all over the web will be reviewed. There's plenty of room for small engineering mistakes that lead to pwn-once, exploit everywhere fail. Strategies for focusing your SDL on these flaws will be discussed.
Next, defenses in key points of the delivery architecture will be explored, from the SaaS platform to CDNs to browsers. Now for the money - what does it take to convince customers to serve your code? It's a big leap of faith for customers to trust you and your arbitrary javascript on their site. The deeper their pockets are, the higher they set the bar for you throughout your architecture. What do they expect in your SDL? Finally, how do you sell this in your organization? Going beyond SDL best practices, strategies for building a product & engineering culture of protecting javascript delivery will be shared.
Kyle Randolph has 15 years of scaling security teams and security services. He built a security team from scratch at Citrix, hardening everything from terminal services kernel drivers to COM clients. Kyle sandboxed everyone's favorite malware delivery agents at Adobe and built authentication services at massive scale at Twitter. Most recently, Kyle's focus has been growing security and privacy at Optimizely, which serves javascript on many of your favorite websites.