Conference Dates October 5–7, 2021

Theme Build Securely

Agenda 5 tracks, 3 days

Background Splatter

Browse the agenda

The agenda may change as we get closer to SnykCon. Check back for the latest information.

Tuesday, Oct 5
Wednesday, Oct 6
Thursday, Oct 7
Timezone:
9:00 
310 min 

Partner Day 

SnykCon Partner Day 

Head here to see the full agenda: https://snyk.io/snykcon/partner-day-agenda/ 

14:30 
60 min 

Main Stage 

SnykCon Kickoff 

8:50 
25 min 

Main Stage 

Welcome & Kickoff 

Speakers

Simon Maple Field CTO, Snyk
9:15 
20 min 

Main Stage 

Lessons from 11 Billion Breached Records 

Security flaws, hackers and data breaches are the new normal. It’s not just those of us in the industry facing these foes every single day, it’s everyone. Whether you’re online or offline, you simply cannot exist today without your personal information being digitized in systems which are often left vulnerable and exploited at the whim of attackers. But who are these people, the ones who seek to break through our defenses and exploit our data? And how are they continually so effective at doing so, despite our best efforts?

In this talk you’ll hear from the creator of “Have I Been Pwned” about the lessons he’s learned after processing more than 11B records of breached data. You’ll get a glimpse behind the scenes of what caused some of these devastating incidents and how they continue to wreak havoc today, despite how much more aware the industry is becoming. It’s a frightening, eye-opening and entertaining look at infosec and data breaches.

Speakers

Troy Hunt Regional Director, Microsoft
60 min 

Workshop 

Applying the Developer Approach to a Fully Automated Security Lifecycle 

At Skyscanner, engineers perform thousands of changes to production services every day. To solve security at scale, we need to develop and iteratively improve our automations to keep up the pace. In this workshop, you’ll learn how the Platform Security and Automation team at Skyscanner allow engineers to safely deploy new features while preventing security vulnerabilities and misconfigurations.

During this workshop you’ll learn:

  • How to incorporate security detection into each layer of your stack, from writing code to automated deployment
  • How to contextualize all your security data
  • How to think about (and build) automation tooling at this scale
  • How to close the feedback loop between engineering and security and how to report and fix security issues

Through this workshop, you’ll also learn how we developed some of our tooling, such as our open source CFRipper tool, which can prevent vulnerabilities from getting into production via insecure CloudFormation templates.

Speakers

Oliver Crawford Software Engineer, SkyScanner
15 min 

Snyk Demo Track 

The Secure Developer’s Desktop 

An overview of how to leverage the Snyk platform while developing quickly within your workflow to accelerate secure development.

Speakers

Omar Leonardo Quimbaya Senior Solutions Engineer, Snyk
9:30 
15 min 

Snyk Demo Track 

How to successfully Roll Out Snyk across your Business/Enterprise 

Best practices to ensure successful deployment, rollout and adoption for Business and Enterprise customers.

Speakers

Stacey Levine Senior Customer Succes Manager, Snyk
9:45 
15 min 

Snyk Demo Track 

So you bought a Team Plan, what now? 

A simple and quick plan for dev teams to go from start to success with the Team plan.

Speakers

Jairo Gomez Tellez Customer Success Manager, Snyk
Tati Miodownik Customer Success Manager, Snyk
9:55 
5 min 

Lightning Talk 

Your Personal Brand Speaks Louder than your CV! 

This talk focuses on taking control of your career by building a personal brand. It’s for anyone who has wanted to start a new career path (or even veer into a new field), but is afraid that their lack of experience/education will be an insurmountable block. I start with my journey into tech, touching on the barriers I faced by entering the field from a non-tech background. Then I will explain how I bypassed those barriers by simultaneously building my knowledge & my brand — which landed me a job as an AppSec Engineer at Bugcrowd.

I then explore why a personal brand is important & how it can open doors by giving you the exposure needed to build an effective network. Finally, I give actionable tips  such as where, what, and how to post as well as how to connect with your potential audience. I’ll also talk about how I did this with bug bounties/YouTube & my content. After this session, you should feel empowered to make a change and be equipped with the tools to follow through.

10:00 
5 min 

Lightning Talk 

Driving Healthy Vulnerability Management Practices in the Enterprise using KRI’s 

Healthy vulnerability management in a large enterprise is an uphill battle for many reasons. Distributed governance, poor application inventories, legacy applications that are hard to maintain, and fixation on new features create new vulnerabilities and propagate existing ones. Manulife has used global Key Risk Indicators (KRIs) to drive healthy security behaviors, show visibility, and promote continuous security management. In this talk, David Matousek, Director of Product and Strategy for Security Services at Manulife Financial will walk though:

  • Why Manulife adopted a KRI strategy as opposed to centralized management
  • Global and business unit KRIs used for vulnerability management
  • Observability and transparency of KRIs to drive healthy security behaviors

Speakers

David Matousek Director and Lead Technical Product Owner of Cybersecurity, Manulife
15 min 

Snyk Demo Track 

How do you know what to fix when you can’t fix it all? 

Strategies for prioritizing fixing security issues in your applications.

Speakers

Tom Gleason Sr. Manager, Solutions Engineering, Snyk
10:05 
5 min 

Lightning Talk 

Artificial Intelligence in Health and Fitness 

Utilizing Artificial Intelligence in tracking Health and Fitness levels of an individual using certain biomarkers.

Speakers

Svitlana Samko W2business Academy, CEO
10:10 
20 min 

Main Stage 

The transformation of the Developer/Security relationship 

What do the evolving developer and security jobs look like during an organization going through a transformation? How can security maturity be improved across an organization? How can we as developers and security practitioners change to improve the secure development of our applications? Join Rinki Sethi, VP and CISO at Twitter, and Simon Maple, Field CTO at Snyk as they discuss how organizations need to change in order to scale security through the development process, including what this means to developers and security engineers alike.

Speakers

Rinki Sethi Vice President and CISO, Twitter
Simon Maple Field CTO, Snyk
10:15 
15 min 

Snyk Demo Track 

Snyk + AWS, Better together 

This session highlights all the key ways Snyk can accelerate secure development and/or production deployment of your applications on AWS.

Speakers

Stacy Dunn Solutions Engineer, Snyk
10:30 
60 min 

Main Stage 

Snyk Keynote 

Speakers

Aner Mazur Chief Product Officer, Snyk
Guy Podjarny President & Founder, Snyk
Peter McKay CEO, Snyk
15 min 

Snyk Demo track 

Using Snyk Effectively with Github 

This session highlights how Snyk can be easily integrated into Github and utilized within the developer workflows.

Speakers

Kriti Dogra Solutions Engineer, Snyk
10:45 
15 min 

Snyk Demo track 

Using Snyk Effectively with Gitlab 

This session highlights how Snyk can be easily integrated into Gitlab and utilized within the developer workflows.

Speakers

Matt Brown Solutions Engineer, Snyk
11:00 
15 min 

Snyk Demo track 

Becoming secure Javascript / Node developer 

This session will show you how to use Snyk to secure Javascript / Node applications as you build them.

Speakers

Tim Leroy Senior Solutions Engineer, Snyk
11:15 
15 min 

Snyk Demo track 

Becoming a secure python developer 

This session will show you how to use Snyk to secure Python applications as you build them.

Speakers

Lili Kastilio Technical Services Architect, Snyk
11:30 
15 min 

Snyk Demo track 

Becoming a secure Java developer 

This session will show you how to use Snyk to secure Java applications as you build them.

Speakers

Sarah Usher Senior Software Engineer, Snyk
11:45 
15 min 

Snyk Demo track 

Becoming a secure Go developer 

This session will show you how to use Snyk to secure Go applications as you build them.

Speakers

Noa Moshe Solutions Engineer, Snyk
12:00 
30 min 

Main Stage 

The Human Element of Security: How to Be a People Hacker 

Speakers

Jenny Radcliffe The People Hacker
20 min 

Snyk Demo track 

Introducing the .snyk file – Defining policy at the desktop/CI level 

The .snyk file is a powerful capability that allows you to define ignores, set python version, and specify .snyk patches to be applied. This session focuses on creation and usage of this powerful capability.

Speakers

Akanchha Shrivastava Solutions Engineer, Snyk
Sarah Gold Solutions Engineer, Snyk
12:20 
15 min 

Snyk Demo track 

CI/CD Best practices & Advanced Tips 

Tips and tricks on how to implement, troubleshoot and scale deployments.

Speakers

Jonathan Gruber Lead Solutions Engineer, Snyk
12:35 
30 min 

Code & Build 

Haunted: Chrome’s Vision for Post-Spectre Web Development 

Ahh, the web, an open platform where sites can communicate with each other, embed third-party content to unlock powerful features, make requests to arbitrary endpoints of other web applications…

Well. Isolation was never a thing on the web, and this creates a number of security issues⏤but Spectre took this to the next level.

In response to this new type of vulnerability, Chrome and other web browsers have worked to make attacks harder by implementing Site Isolation. But Site Isolation doesn’t fix it all, and the house is still haunted: Spectre attacks are still possible. The risk is very real, and working JavaScript exploits have demonstrated the spooky potential of this class of attacks.

So, what can you do? In this session, we’ll look at how you can keep your site secure and capable with Sec-Fetch- headers, Cross-Origin Opener Policy and more. We’ll explore techniques and tooling that can help you adopt these features, and we’ll finish with some thoughts of what Chrome envisions for the future of web security. 

Speakers

Maud Nalpas Developer Relations Engineer, Chrome
30 min 

Govern & Empower 

Enterprise Application Risk Profiling 

A talk on application risk profiling on an enterprise scale (an OWASP SAMM activity – https://owaspsamm.org/model/design/threat-assessment/stream-a/). I will discuss digital transformation in the enterprise, how it impacts cloud native applications developed using agile methodologies and as a result, an oscillating application risk rating, which then triggers prioritized security-related activities by application security engineers.

Key topics

  • Creating a baseline application risk profile
  • Dynamic characteristics of application risk factors
  • Significant changes that trigger security reviews

Speakers

Alex Mor Global Director of Application Security, AbInbev
30 min 

Snyk Product 

API Evolution 

15 min 

Snyk Demo track 

Staying Compliant – Leverage Snyk License Management Features While you Develop 

How to configure and utilize Snyk’s license management features.

Speakers

Elad Harel Senior Solutions Engineer, Snyk
12:50 
15 min 

Snyk Demo track 

Secure Containers Easily with Base Image Management 

Greatly reduce vulnerabilities using Snyk’s advanced container analysis. This session focuses specifically on the Base Image Management capabilities.

Speakers

Rotem Sagi Software Engineer, Snyk
13:05 
45 min 

Code & Build 

Gitting Down to the Issue – Closing the Feedback Loop with Automation 

During this session, we will focus on how security professionals are beginning to provide “pipelines-as-a-service” has necessitated a product / service-oriented mindset, even for internal teams. A structured approach on how to leverage continuous integration tools to incorporate not only Snyk Open Source, but security tools in general, into the application development lifecycle will be reviewed. A demonstration of how APIs, functions, and scripts can be used to provide (Snyk) scan output as a GitHub Issue, allowing for feedback to given and discussion to take place prior to a Pull Request event. This presentation will also discuss some of the practical challenges faced related to “privatizing” the code for pipelines, pipeline performance, and secret management as they were faced while adopting the approach at an enterprise scale.

Speakers

David Wiggs Manager, Bain
30 min 

Govern & Empower 

Shifting Security Left While Building A Cloud Native Bank 

Building a digital bank requires a unique combination of agility and speed while maintaining the highest level of security. Lunar, a digital challenger bank in the Nordics, has always had technology and agility as a differentiator. Lunar was built for the cloud, with Cloud Native principles, such as microservices, containers, and container orchestration amongst others.

In this presentation Kasper will present some insights into the principles on which the Lunar infrastructure was built on, the continuous focus on security, and how application security is shifting left and becoming a developer concern. Kasper will discuss the challenges faced and conquered in the process of transitioning from a fintech startup to a bank with its own banking license.

Speakers

Kasper Nissen Cloud Architect and CNCF Ambassador, Lunar
30 min 

Snyk Product 

Falling in Love with Static Analysis 

Speakers

Elad Yaakov Product Manager, Snyk
Noa Moshe Solutions Engineer, Snyk
20 min 

Snyk Demo track 

Securing your Terraform Deployments 

How to use Snyk’s Infrastructure as Code to avoid misconfigurations and other security issues in your Terraform workflows.

Speakers

Rick Harp Senior Solutions Engineer, Snyk
13:25 
15 min 

Snyk Demo track 

Pod Problems: Securing a Vulnerable Kubernetes Application with Snyk 

How to use Snyk Container to secure your applications being deployed to Kubernetes. Avoid someone getting woken up at night to address an issue.

Speakers

Clinton Hegert Principal Solutions Engineer, Snyk
13:40 
15 min 

Snyk Demo track 

Creating Custom Rules for Snyk Infrastructure as Code 

Snyk allows customers to create custom rules, using advanced patterns, to define what to look for in infrastructure as code files. This session will be a deep dive into how to create your own rules.

Speakers

Philippe Stemberger Principal Solutions Engineer, Snyk
13:50 
30 min 

Code & Build 

My NPM Package Will Eat your Lunch 

We know a lot about vulnerable packages in NPM registry, but (surprisingly) few malicious packages have surfaced to date. This makes you feel like you don’t really need to protect your project against them. Well, I’m here to destroy that cozy feeling >:D

I will demonstrate how a malicious package could affect your application, even if some security measures are already in place. After the exploits, I’ll explain how to prevent the attacks without missing out on the benefits of packages using postinstall scripts for valid reasons.

Speakers

Zbyszek Tenerowicz JS security hobbyist, meet.js
30 min 

Govern & Empower 

Sorting through the Fluff: Declutter and Remediate Container Vulnerabilities with Context 

At Atlassian, 99% of services deployed to production are built on containers. When implementing container scanning company wide for the first time we were faced with tens of thousands of issues being found by Snyk across the organization.

We chose to go against the grain of using CVSS scores exclusively when assigning severity to tickets and instead examined the issues in the context of their target operating systems. By utilizing the distros’ relative importance provided by Snyk, we ensured any asks of our engineers were actionable and assigned an appropriate severity level that matched the prioritization needed from them.

Combining this with the process of identifying containers built on “golden” base images or services using common sidecars, we not only ensure developers can focus on issues they actually have control over, but also improve our security posture by keeping these container images and sidecars up to date across all Atlassian services.

Speakers

Sharada Moorthy Security Software Development Engineer, Atlassian
Will Ratner Product Security Engineer, Atlassian
30 min 

Snyk Product 

Automating a Secure Container Workflow 

90 min 

Workshop 

Getting Started with Snyk 

13:55 
15 min 

Snyk Demo track 

Securing your Code Using Snyk Code in 15 Minutes 

Learn how to implement Snyk quickly and get results right away! It’s that easy.

Speakers

Nate Michalov Senior Solutions Engineer, Snyk
14:10 
15 min 

Snyk Demo track 

The Developer-First Security Experience on OpenShift 

Snyk and Red Hat believe that DevSecOps is best scaled when developers can take security into their own hands, empowered by tools that enable and encourage IT Operations and security teams to participate in, and gain visibility into, the vulnerability remediation process. Toward this end, we’re collaborating to seamlessly integrate security throughout the CodeReady Toolchain, part of the OpenShift developer experience, to help our users realize these benefits, regardless of the team they belong to. In this session, we’ll show you how to fully leverage Snyk’s capabilities within your OpenShift environment on your journey to DevSecOps.

Speakers

Dave Meurer Principal Solutions Architect, Red Hat
14:20 
30 min 

Code & Build 

Cracking the Kernel: Adventures with Kernel Exploits in Kubernetes 

We interact with the operating system kernel in many different ways: by reading from the file system, opening a device file, issuing system calls, or sending a packet over the network interface. Each time the kernel does this on behalf of user space, it checks if the user has permission to call that action by checking privileges. Kernel privilege escalation is a process of obtaining additional permissions by exploiting a weakness in kernel code. In this talk we’ll explore what kernel privilege exploits are, look at an example in practice, and then show the different ways in which containers and Kubernetes can help to reduce the impact of these kinds of exploits.

Speakers

Matt Jarvis Director of Developer Relations, Snyk
30 min 

Govern & Empower 

Lessons Learned from Building a Developer-first AppSec Program 

What is an AppSec program? Where to start with your AppSec program? Should we start with compliance or developers? Do I need full company support? How much does it cost in time and money? What building blocks does a AppSec program consists of? Is it a tools or culture problem? How to roll it out and gain traction? How to measure success/failure?

This and much more is what I will share during my session and I invite you to follow along on our journey to create an AppSec program and building it out over the years! Successes and failures. Security is a shared responsibility.

Speakers

Per Olsson AppSec Advisor, Visma
14:25 
15 min 

Snyk Demo track 

Developer-Centric AppSec In Practice 

The idea of shifting application security left is widely accepted. Automating testing close to the code ensures that potential vulnerabilities are found quickly, and developer-centric security platforms allow software engineers to push fixes while they are working in the code base. Once implemented, your team can confidently ship secure applications without disruption to existing workflows. But what does it look like in practice?

A full application security program is often thought of as static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA). In this session, StackHawk’s CTO, Scott Gerlach, will demonstrate how these three types of application security testing can work together, automated in the delivery pipeline to surface potential vulnerabilities and equip developers to own the fix.

Speakers

Scott Gerlach CTO, StackHawk
14:40 
15 min 

Snyk Demo track 

Extending Software Composition Analysis (SCA) to Runtime  

Everyone’s familiar with open source code and the associated vulnerabilities you inherit by leveraging third party packages. Many of you are familiar with traditional Software Composition Analysis (SCA) and are probably using Snyk for it!

In today’s world of CI/CD pipelines and Infrastructure as Code (IaC), there’s complex machinery that sits between the code and production. This machinery works great most of the time, but can suffer from what all software does… bugs. And let’s not forget, things don’t always turn out the way they intend to. This can present challenges to security teams who want to know if there are vulns in their live system that may not show up in source code scans, as well as SOC analysts and incident responders who are trying to figure out the vulnerability exposure duration of a given vuln.

This talk will cover how to leverage an end to end security approach for identifying vulnerabilities from development through runtime for web apps with both Snyk and Rapid7.

14:50 
30 min 

Code & Build 

Container Scanning: Run Fast and Stay Safe 

Have you struggled to get security baked into your DevOps process or have your security needs taken a back seat to “run fast and break things”? Just because we’re moving fast doesn’t mean we can’t be secure. Join us for this deep dive into adding container scanning to a DevOps pipeline. We’ll enumerate the security tool categories, and give you tips for adding these tools to your development workflow, build pipeline, and production monitoring setup. You can achieve a robust security posture and still release continuously.

Speakers

Rob Richardson Developer Advocate, Cyral
30 min 

Govern & Empower 

Building Security Champions 

With security teams being vastly outnumbered many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions; How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them?

This session will teach you:

  • How to attract the right people to your program
  • What and how to train them
  • How to engage them, and turn them into security advocates
  • What do delegate and what NOT to delegate
  • What to communicate, how often and to who
  • How to motivate them
  • How to build an AMAZING security champion program

Recipe for success; recruit, engage, teach, recognize, reward, don’t stop.

Speakers

Tanya Janca CEO & Founder, We Hack Purple
30 min 

Snyk Product 

Secure your Infrastructure from Code to Cloud 

15:20 
10 min 

Main Stage 

Closing Remarks 

15:30 
30 min 

Networking Event 

SnykCon End of Day Event 

8:50 
25 min 

Main Stage 

Welcome & Kickoff 

Speakers

Simon Maple Field CTO, Snyk
9:15 
20 min 

Main Stage 

Developers Don’t Want Someone Looking Over Their Shoulder 

Engineering teams thrive when they have autonomy and ownership, not when they have to wait on code reviews from AppSec. In this session, Suzie Prince (Head of Product, DevOps, Atlassian) and Gareth Rushgrove (VP, Product, Snyk) discuss the importance of autonomy for developers, what tools to give them to autonomously to deal with vulnerabilities that require security expertise, and why it’s so important for security to start with development teams.

Speakers

Gareth Rushrgrove VP of Product, Snyk
Suzie Prince Head of Product, DevOps, Atlassian
60 min 

Workshop 

Never Get Pwned! Understanding the OWASP Top 10 

If you’re a software developer, chances are you’ve seen a lot of security vulnerabilities in the software you’re working on, even if you didn’t realize it.

In this workshop you’ll learn what the 10 most critical security issues in web applications are and how to prevent them. In particular, you’ll get to explore 3 of the top 10 vulnerabilities in a devastating way:

  • Cross-site scripting (XSS)
  • Broken authentication
  • Injection attacks (SQLi)

You’ll see how these issues can creep into your applications, what the consequences can be, and how to prevent that from happening.

Speakers

Grant Ongers Co-founder Secure Delivery & OWASP Global Board Member, Secure Delivery
15 min 

Snyk Demo track 

The Developer-First Security Experience on OpenShift 

Snyk and Red Hat believe that DevSecOps is best scaled when developers can take security into their own hands, empowered by tools that enable and encourage IT Operations and security teams to participate in, and gain visibility into, the vulnerability remediation process. Toward this end, we’re collaborating to seamlessly integrate security throughout the CodeReady Toolchain, part of the OpenShift developer experience, to help our users realize these benefits, regardless of the team they belong to. In this session, we’ll show you how to fully leverage Snyk’s capabilities within your OpenShift environment on your journey to DevSecOps.

Speakers

Dave Meurer Principal Solutions Architect, Red Hat
9:30 
15 min 

Snyk Demo track 

Developer-Centric AppSec In Practice 

The idea of shifting application security left is widely accepted. Automating testing close to the code ensures that potential vulnerabilities are found quickly, and developer-centric security platforms allow software engineers to push fixes while they are working in the code base. Once implemented, your team can confidently ship secure applications without disruption to existing workflows. But what does it look like in practice?

A full application security program is often thought of as static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA). In this session, StackHawk’s CTO, Scott Gerlach, will demonstrate how these three types of application security testing can work together, automated in the delivery pipeline to surface potential vulnerabilities and equip developers to own the fix.

Speakers

Scott Gerlach CTO, StackHawk
9:35 
20 min 

Main Stage 

Understanding Supply Chain Security for Developers 

People are talking about supply chain security a lot now, with high profile attacks in the news, but what does it really mean for developers? How does it relate to how you build applications? In this talk I will explain what the security risks are, and how to understand your supply chain, and how to improve it, by using content you trust, and tools to help you. I will also look at what the future will bring as we manage our supply chains with a stronger view to their security.

Speakers

Justin Cormack CTO, Docker
9:45 
15 min 

Snyk Demo track 

Extending Software Composition Analysis (SCA) to Runtime  

Everyone’s familiar with open source code and the associated vulnerabilities you inherit by leveraging third party packages. Many of you are familiar with traditional Software Composition Analysis (SCA) and are probably using Snyk for it! In today’s world of CI/CD pipelines and Infrastructure as Code (IaC), there’s complex machinery that sits between the code and production. This machinery works great most of the time, but can suffer from what all software does… bugs. And let’s not forget, things don’t always turn out the way they intend to.

This can present challenges to security teams who want to know if there are vulns in their live system that may not show up in source code scans, as well as SOC analysts and incident responders who are trying to figure out the vulnerability exposure duration of a given vuln. This talk will cover how to leverage an end to end security approach for identifying vulnerabilities from development through runtime for web apps with both Snyk and Rapid7.

9:55 
5 min 

Lightning Talk 

CSP is Leaking…. 

Content Security Policy (CSP) is a great way to restrict client-side activities on most browsers, especially network activities. The maintenance is a bit of a hassle, but there are some good tools out there to assist with the task. The problem is that CSP provides a false sense of security. There are several open attack vectors when relaying on CSP and in this short talk, we will discuss some, ways to gain visibility and ideas for mitigation.

Speakers

Avishai Shafir Director of Product, PerimeterX
10:00 
5 min 

Lightning Talk 

3 Things You (Probably) Don’t Know About SSH 

You’ve used ssh-keygen to create a private and public SSH keypair, and you’ve used that keypair to authenticate to a remote server, but what the heck is going on behind the scenes? This lightning talk will describe three things about SSH that you (probably) don’t know.

Speakers

Kim Schlesinger Developer Advocate, DigitalOcean
15 min 

Snyk Demo track 

The Secure Developer’s Desktop 

An overview of how to leverage the Snyk platform while developing quickly within your workflow to accelerate secure development.

Speakers

Omar Leonardo Quimbaya Senior Solutions Engineer, Snyk
10:05 
5 min 

Lightning Talk 

Why the Options Pattern is Great for Security 

I will demonstrate three security benefits of the options pattern for object initialization by showing three examples. I will also suggest and explain a small but significant improvement to the classic options pattern that increases security even more.

The options pattern provides security benefits as side effects of encapsulation and separation of concerns. The main benefit is that it can make complex objects difficult to misuse, a necessary quality for modern cryptography, networking, and low-level libraries.

This approach shifts security left. It aids with code readability, reliability, and resilience. When properly implemented, the options pattern ensures sensible defaults, detects configuration conflicts at initialization, and provides logical grouping and consistency with entangled parameters.

Speakers

Dima Kotik Lead curriculum contributor, Security Journey
10:10 
20 min 

Main Stage 

Secure Development during Hypergrowth 

Move fast and break things” is a common trope for companies in hypergrowth, but it’s just not an option with security. During this session you’ll earn best practices, lessons learned, and sound advice for developing securely at speed and scale. The conversation will explore hypergrowth, how speed impacts security, guiding development philosophies, and how to make security a priority for engineers.

Speakers

Guy Podjarny President & Founder, Snyk
10:15 
15 min 

Snyk Demo track 

How to Successfully Roll Out Snyk Across your Business/Enterprise 

Best practices to ensure successful deployment, rollout, and adoption for Business and Enterprise customers.

Speakers

Stacey Levine Senior Customer Succes Manager, Snyk
10:30 
15 min 

Snyk Demo track 

So you Bought a Team Plan, What Now? 

A simple and quick plan for dev teams to go from start to success with the Team plan.

Speakers

Jairo Gomez Tellez Customer Success Manager, Snyk
Tati Miodownik Customer Success Manager, Snyk
10:45 
15 min 

Snyk Demo track 

How do you know what to fix when you can’t fix it all? 

Strategies for prioritizing fixing security issues in your applications.

Speakers

Tom Gleason Sr. Manager, Solutions Engineering, Snyk
11:00 
10 min 

Main Stage 

Snyk Keynote – Social Impact 

Speakers

15 min 

Snyk Demo track 

Snyk + AWS, Better together 

This session highlights all the key ways Snyk can accelerate secure development and/or production deployment of your applications on AWS.

Speakers

Stacy Dunn Solutions Engineer, Snyk
11:15 
15 min 

Snyk Demo track 

Using Snyk Effectively with Github 

This session highlights how Snyk can be easily integrated into Github and utilized within the developer workflows.

Speakers

Kriti Dogra Solutions Engineer, Snyk
11:30 
15 min 

Snyk Demo track 

Using Snyk Effectively with Gitlab 

This session highlights how Snyk can be easily integrated into Gitlab and utilized within the developer workflows.

Speakers

Matt Brown Solutions Engineer, Snyk
11:45 
15 min 

Snyk Demo track 

Becoming secure Javascript / Node developer 

This session will show you how to use Snyk to secure Javascript / Node applications as you build them.

Speakers

Tim Leroy Senior Solutions Engineer, Snyk
12:00 
30 min 

Main Stage 

The Future of Cyber Security from a Friendly Hacker’s Perspective 

Speakers

Keren Elazari The Friendly Hacker
15 min 

Snyk Demo track 

Becoming a Secure Python Developer 

This session will show you how to use Snyk to secure Python applications as you build them.

Speakers

Lili Kastilio Technical Services Architect, Snyk
12:15 
15 min 

Snyk Demo track 

Becoming a Secure Java Developer 

This session will show you how to use Snyk to secure Java applications as you build them.

Speakers

Sarah Usher Senior Software Engineer, Snyk
12:30 
15 min 

Snyk Demo track 

Becoming a secure Go developer 

This session will show you how to use Snyk to secure Go applications as you build them.

Speakers

Noa Moshe Solutions Engineer, Snyk
12:35 
30 min 

Code & Build 

What the H… is this Signing Thing About? 

While learning container security best practices, we quickly stumble on “signing images” in our journey, but what the h… is this signing about? Why should you really care? What are the benefits? Advantages, drawbacks, tools to choose, integration, deployment, day2,… ok ok ok I got it, it’s a loooonnnggg journey!

Throughout this talk, I aim to simply explain (with a little fun) what this is all about, why it is important, and more importantly, how it can help you be better at securing your container-based supply chain and production platform. Plain and simple, you’ll learn from this session whoever you are in your organization C level, leads, experts,… are you hooked? jump in and sail with me safely through the seven container seas 🙂

Speakers

Rachid Zarouali Cloud Architect, Sevensphere
30 min 

Govern & Empower 

Story of Implementation of SecDevOps in a FinTech Organization and Beyond 

In Financial industry, there was less importance given to Application Security and more given to compliance issues, until a bank was recently hacked in Pakistan.

After that hack, all of the Security Personnel and Information Security Assessment Companies were choked with their limited resources. We decided that there couldn’t be a better opportunity to Implement, and then market DevSecOps in our company, and in the outer market.

We implemented the fundamentals of Application Security, starting from

  • basics of Application Security Scanning (SAST / DAST)
  • moved up to systems hardening
  • then ultimately taken PA-DSS audits head on

We then started implementation of Automation every manual work we did in our Security efforts and we were quite successful. Once we did that, we started marketing the things we automated in our technology community.

30 min 

Snyk Product 

Meeting Developers Where They Are: End-to-end Workflows in Snyk 

12:45 
20 min 

Snyk Demo track 

Introducing the .snyk File – Defining Policy at the Desktop/CI level 

The .snyk file is a powerful capability that allows you to define ignores, set python version, and specify .Snyk patches to be applied. This session focuses on creation and usage of this powerful capability.

Speakers

Akanchha Shrivastava Solutions Engineer, Snyk
Sarah Gold Solutions Engineer, Snyk
13:05 
30 min 

Code & Build 

Attacking Postmessage 

We will be talking in-depth about exploiting postmessage function in which we will be covering below mentioned topics.

  • Concept of Same Origin Policy and why postmessage
  • Why we implement Postmessage() function
  • How we can bypass same-origin policy safer way for to perform cross window communication with the help of postmessage function
  • How we can find different postmessage() functions from the application and loaded js files of the page?
    what are the attack vectors which an attacker can use to exploit misconfigured postmessage and what would be an impact of those attacks.
  • Secure postmessage() implementation and mitigations of the insecure/misconfigured postmessage function.
30 min 

Govern & Empower 

Security Workflow Collaboration: How Security Teams Provide Aircover for Developers 

Time is Critical. When responding to a security incident, seconds matter. Security teams operate on many levels with multiple controls to plug gaps and minimize damage during an attack. These controls give developers time, time to fix vulnerabilities properly. With more complex infrastructures and supply chains, this cooperation between security and developers is critical.

So how do these two teams collaborate when the language and way of thinking is different?

Join this session to learn how development teams are empowered when they receive proactive assistance from security teams. With quick mitigation, security teams can provide needed assistance helping to minimize the relative risk and chance of organization wide damage from cyber threats, allowing developers to focus on ownership of their applications and remediation.

30 min 

Snyk Product 

Triaging Vulnerabilities: the Way it Ought to Be 

15 min 

Snyk Demo track 

CI/CD Best practices & Advanced Tips 

Tips and tricks on how to implement, troubleshoot and scale deployments.

Speakers

Jonathan Gruber Lead Solutions Engineer, Snyk
13:20 
15 min 

Snyk Demo track 

Staying Compliant – Leverage Snyk License Management Features While you Develop 

How to configure and utilize Snyk’s license management features.

Speakers

Elad Harel Senior Solutions Engineer, Snyk
13:35 
15 min 

Snyk Demo track 

Secure Containers Easily with Base Image Management 

Greatly reduce vulnerabilities using Snyk’s advanced container analysis. This session focuses specifically on the Base Image Management capabilities.

Speakers

Rotem Sagi Software Engineer, Snyk
13:50 
30 min 

Code & Build 

Hacking your Infra from the Outside by Exploiting npm Dependency Confusion Attacks 

What happens when you incorrectly manage your private packages registry, your developers misconfigure their local npm proxy, and malicious actors are free to abuse an open-source ecosystem? It’s called Dependency Confusion and it’s an attack that enabled security researchers to infiltrate big-name corps. You don’t want to be the next victim on the headlines, right? Let me take you on a step-by-step deep dive into how this attack manifests and how you can defend against it.

Speakers

Liran Tal Director of Developer Relations, Snyk
30 min 

Snyk Product 

The Deep Code Analysis & ML Powering Snyk 

90 min 

Workshop 

Kubernetes IaC Security Gamified 

In this workshop, you’ll get hands-on experience implementing Kubernetes security best practices. We’ll play a game where you will work with other developers to hunt for K8s security vulnerabilities in a GitHub repo, and then we’ll discuss why these vulnerabilities are bad for your Kubernetes cluster and how to fix the issues.

This interactive session has three parts:
Part I: Participants will be put onto teams and given access to a GitHub repository with a variety of K8s manifests for deployments, pods, services, and jobs. There will be a set number of security vulnerabilities and misconfigurations in the GitHub repo. Participants will have 25 minutes to find as many as they can using any tools they choose.

Part II: Teams will share the vulnerabilities and misconfigurations they found, and then Kim will reveal the issues and discuss why each vulnerability is a security issue.

Part III: Kim will demonstrate how to scan a repository of Kubernetes configuration files using Synk.

Speakers

Kim Schlesinger Developer Advocate, DigitalOcean
20 min 

Snyk Demo track 

Securing your Terraform Deployments 

How to use Snyk’s Infrastructure as Code to avoid misconfigurations and other security issues in your Terraform workflows.

Speakers

Rick Harp Senior Solutions Engineer, Snyk
14:00 
30 min 

Govern & Empower 

Automating Open Source License Approvals 

Automating approvals for Open Source license usage by utilising the Snyk license scanning feature within our CI/CD workflow.

Key Takeaways
Snyk license scanning, CI/CD, process automation, open source licenses

Speakers

Ben Davies Software Engineer of Engineering Productivity, Citrix
Sam Hodgkinson Software Engineer of Engineering Productivity, Citrix
14:10 
15 min 

Snyk Demo track 

Pod Problems: Securing a Vulnerable Kubernetes Application with Snyk 

How to use Snyk Container to secure your applications being deployed to Kubernetes. Avoid someone getting woken up at night to address an issue.

Speakers

Clinton Hegert Principal Solutions Engineer, Snyk
14:20 
30 min 

Govern & Empower 

Evangelizing the SRE Mindset: Building a Culture of Reliability and Ownership 

Most engineers respond to messages or emails from an SRE or security engineer with disdain. They often see the work of these teams as another hurdle to getting code out the door and a tax on their productivity. We know they’re wrong. We need to spread the SRE mindset and approach to all engineering teams and pivot their thinking towards “How can I build a solution that is resilient, secure, and scalable?”, and “How can I partner with my SRE and security teams to make this a reality?”. This talk will take a deep dive into the core principles of SRE thinking and how to create a culture of reliability and ownership, with practical takeaways that you can use with your own teams.

Speakers

Cristina Buenahora Bustamante Founding Engineer, Cortex
30 min 

Snyk Product 

Kubernetes Security with Snyk 

14:25 
15 min 

Snyk Demo track 

Creating Custom Rules for Snyk Infrastructure as Code 

Snyk allows customers to create custom rules, using advanced patterns, to define what to look for in infrastructure as code files. This session will be a deep dive into how to create your own rules.

Speakers

Philippe Stemberger Principal Solutions Engineer, Snyk
14:40 
15 min 

Snyk Demo track 

Securing your Code Using Snyk Code in 15 Minutes 

Learn how to implement Snyk quickly and get results right away! It’s that easy.

Speakers

Nate Michalov Senior Solutions Engineer, Snyk
14:50 
30 min 

Code & Build 

How Compliance-as-Code Grants Developers Actionable Security Insights 

Open Policy Agent from the CNCF is an increasingly popular choice for enterprise policy and authorization enforcement. OPA Conftest, in particular, enables unified enforcement of infrastructure-as-code and security standards. Maybe you’ve written a Rego file before or maybe you’re hearing about OPA for the first time. How do we take these building blocks and scale from a few Rego examples to an organization-wide compliance-as-code program?

Join Ari Kalfus as he details his journey building an enterprise-scale program with Conftest scanning every commit in the organization for targeted, high fidelity findings. He will cover using GitOps for CI/CD-baked policy rollouts, best practices for integrating results with engineering workflows, and the triumphs and tribulations of running this mess on serverless components. The program uncovered previously unknown repositories in the environment and led to a 37% reduction in policy violations after just one week.

Speakers

Ari Kalfus Application Security Leader, Rally Health
30 min 

Govern & Empower 

Secure by Design: Objectives in the Mirror may Seem Farther than they Appear 

“Secure by design”. We’ve all heard the term before, or maybe something similar: “shift-left”, “security first mentality”, but what does it really mean and what does it take to truly be secure by design?

In our time together, I’d like to be brutally honest with the journey we have been on at Auth0, as we work on defining what being secure by design means for us, and what we’ve done so far to strive for this goal.

Spoiler: It hasn’t been easy, we’ve made many mistakes, it is an entire team effort, and being secure by design will look different for every company.

Speakers

Matthew Marji Senior Product Security Engineer, Auth0
30 min 

Snyk Product 

You Chose… Wisely. Making Informed Open Source Package Decisions 

Software development is increasingly about composition. Modern developers are able to stand on the shoulders of giants, using a wealth of open source libraries to build software quickly and delightfully. Gone are the days when you needed to delve into the lowest levels of the machine to get anything done.

More and more open source packages are released every day on npm, PyPI, Maven Central and other central repositories. New versions of libraries are released hourly. We’re seeing new open source and open source-like licenses be proposed and see early adoption.

Attackers are finding ways of using the open source toolchain to scale attacks. How do you choose the best library when considering sustainability, security and compliance as well as functionality?

In this talk we’ll understand why package health is important and how Snyk can help you to make sustainable library choices and minimize future maintenance like:

  • Making sure you consider open source license implications as part of development
  • Considering the security history, maintenance history and other projects attributes
  • Automating dependency management to keep versions up-to-date

Speakers

Daniel Berman Director of Product Marketing, Snyk
15:20 
10 min 

Main Stage 

SnykCon Closing Remarks 

15:30 
30 min 

Networking Event 

SnykCon End of Day Event 

Background Splatter
Patch The Dog
Lanyard Registered

Join us for SnykCon 2021

Tell your friends and colleagues that you are joining us: #SnykCon @snyksec