building a world class security team
TRANSCRIPT
Michael StoppelmanSVP of Engineering at Yelp
[email protected]@stopman
Building a World Class Security Team
“One Engineer at a Time”
Yelp’s MissionConnecting people with great
local businesses.
Yelp StatsAs of Q2 2016
92M 3272%108M
$`whoami` Michael Stoppelman
●Purdue Alumni, BS in CS; graduated in 2003
●2003 - 2007 - software engineer - Google
●2007 - now() - SVP of Engineering - Yelp (9.5+ years) @stopman
2005-2009 - not a big target yet
2010 - Now we’re a target…
Our first security audit…
Security Czar - 2011
V0 Hiring
V0 Early mistakes…
V0: 2FA Everywhere
XSS protection by default
Evil Redirects!
V1 Hiring
Getting Good at Basics - Corp● Malware detection● Full Disk Encryption - lost or stolen hardware● Building up “RunBooks” for incident response● 3rd party auditing ● Phishing education/response● VLANs
Getting Good at Basics - Corp Cont’d
PHISHING EXAMPLE
Getting Good at Basics - App● Remove secrets from your code base!● Secure the cloud, VPCs/IAMs in AWS● Make it hard for developers to leak sensitive fields
display_name(full_lastname=True)
● Rotating credentials● Secure your source code
V2 Hiring
Getting Professional - Corp
SIEM
Getting Professional - Apps
Public Bug Bounty Program DDoS attacks
Q&ABug Bounty Program
DDoS attacks
SIEM
PhishingHiring
Team Structure
PII
@YelpEngineering / @stopman
fb.com/YelpEngineers
engineeringblog.yelp.com
github.com/yelp