You've joined a startup building the next big enterprise unicorn. The product is delivered as javascript on all of your customers' websites. What could go wrong? The threat model of serving third party javascript all over the web will be reviewed. There's plenty of room for small engineering mistakes that lead to pwn-once, exploit everywhere fail. Strategies for focusing your SDL on these flaws will be discussed.
Next, defenses in key points of the delivery architecture will be explored, from the SaaS platform to CDNs to browsers. Now for the money - what does it take to convince customers to serve your code? It's a big leap of faith for customers to trust you and your arbitrary javascript on their site. The deeper their pockets are, the higher they set the bar for you throughout your architecture. What do they expect in your SDL? Finally, how do you sell this in your organization? Going beyond SDL best practices, strategies for building a product & engineering culture of protecting javascript delivery will be shared.