building a world class security team
TRANSCRIPT
![Page 1: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/1.jpg)
Michael StoppelmanSVP of Engineering at Yelp
[email protected]@stopman
Building a World Class Security Team
“One Engineer at a Time”
![Page 2: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/2.jpg)
Yelp’s MissionConnecting people with great
local businesses.
![Page 3: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/3.jpg)
Yelp StatsAs of Q2 2016
92M 3272%108M
![Page 4: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/4.jpg)
$`whoami` Michael Stoppelman
●Purdue Alumni, BS in CS; graduated in 2003
●2003 - 2007 - software engineer - Google
●2007 - now() - SVP of Engineering - Yelp (9.5+ years) @stopman
![Page 5: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/5.jpg)
2005-2009 - not a big target yet
![Page 6: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/6.jpg)
2010 - Now we’re a target…
![Page 7: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/7.jpg)
Our first security audit…
![Page 8: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/8.jpg)
Security Czar - 2011
![Page 9: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/9.jpg)
V0 Hiring
![Page 10: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/10.jpg)
V0 Early mistakes…
![Page 11: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/11.jpg)
V0: 2FA Everywhere
![Page 12: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/12.jpg)
XSS protection by default
![Page 13: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/13.jpg)
Evil Redirects!
![Page 14: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/14.jpg)
V1 Hiring
![Page 15: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/15.jpg)
Getting Good at Basics - Corp● Malware detection● Full Disk Encryption - lost or stolen hardware● Building up “RunBooks” for incident response● 3rd party auditing ● Phishing education/response● VLANs
![Page 16: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/16.jpg)
Getting Good at Basics - Corp Cont’d
PHISHING EXAMPLE
![Page 17: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/17.jpg)
Getting Good at Basics - App● Remove secrets from your code base!● Secure the cloud, VPCs/IAMs in AWS● Make it hard for developers to leak sensitive fields
display_name(full_lastname=True)
● Rotating credentials● Secure your source code
![Page 18: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/18.jpg)
V2 Hiring
![Page 19: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/19.jpg)
Getting Professional - Corp
SIEM
![Page 20: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/20.jpg)
Getting Professional - Apps
Public Bug Bounty Program DDoS attacks
![Page 21: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/21.jpg)
Q&ABug Bounty Program
DDoS attacks
SIEM
PhishingHiring
Team Structure
PII
![Page 22: Building a World Class Security Team](https://reader035.vdocuments.site/reader035/viewer/2022062823/587a4fc71a28ab00148b704f/html5/thumbnails/22.jpg)
@YelpEngineering / @stopman
fb.com/YelpEngineers
engineeringblog.yelp.com
github.com/yelp