Working in security is a principled decision. Many of us do this because we want to help make technology more reliable and safer for our friends, our family - for humanity. Your skills got you a job, but your principles and drive got you the skills.
Turning your ideals into real, concrete outcomes at scale is… daunting. Interconnected networks, billions of lines of ever-evolving code, third party dependencies and legacy requirements, competing priorities, conflicting incentives, snake oil solutions; these are just a few of the challenges that are familiar to security professionals, and that doesn't even include the social and communication barriers or endless philosophical debates.
So, how do you actually make technology in complex landscapes safer, at scale?
This talk offers guiding advice that we as security practitioners and leaders must embrace in order to succeed: principled pragmatism, openness, and an optimistic dissatisfaction with the status quo. Drawing on her experiences leading some of the biggest, ongoing security efforts that aim to make technology safer for all users, Parisa will first describe how a grassroots side project grew to shift the majority of the web ecosystem to secure transport, nearly 25 years after the technology was first made available. Next, she will review the major effort to implement an intern's publication in one of today's largest open source projects, and how they persevered for 5+ years of refactoring, avoiding efforts to defund the work along the way. (Coincidentally, this project helped the world's most popular browser mitigate a new class of hardware vulnerabilities earlier this year!) Finally, she will share how throwing out the rule book on vulnerability disclosure has been moving giants of the software industry toward measurably faster patching and end-user security.