This event has ended. Visit the official site or create your own event on Sched.
One Track
Lots of Flavor
Back To Schedule
Wednesday, April 17 • 10:20am - 11:05am
The path to code provenance at uber

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

The landscape of Uber applications and services moves and evolves quickly. At
our scale, where a one-in-a-million ride happens 10 times every day and production code changes thousands of times a day, scaling security at the rate of business is critical.

Fundamentally we must assure, across our multitude of services and engineering teams, that all production code meets defined security requirements, including compliance obligations. An important piece of this is providing documented assurance that code is authored/reviewed/approved by the appropriate parties and that code running in production is one and the same.

We will share some specific examples and use cases from our Uber’s product security team that can be applied in other environments including:
- deploying hooks for developers to sign commits (and enforcement of signatures before building container images)
- making security a first-class citizen in our build pipelines to harden and sign builds (and integrations with our container orchestration framework to ensure that our build/image artifacts have been appropriately hardened and vetted to be run within our infrastructure)
- improvements to our container runtime security, in order to efficiently detect and block any unauthorized code (including runtime anomaly detection and a process for remediation of newly-blacklisted packages)
- deploying security policies around third-party dependencies (and how we hook into the SDLC in order to warn and enforce when something is out of policy compliance)

We'll talk through integration pain points, key takeaways, infrastructure-specific challenges we faced, surprising discoveries, and issues/questions we've tackled along the way.

avatar for Matthew Finifter

Matthew Finifter

Security Engineer, Uber
Matthew Finifter is a security engineer on Uber's Application Security team. His recent work focuses on the design and implementation of application security automation and improvements within Uber's software development lifecycle. He received his PhD in Computer Science from UC Berkeley... Read More →
avatar for Tony Ngo

Tony Ngo

Security Engineer, Uber
Tony Ngo is a security engineer on Uber’s Application Security team.  He hasspent the last 12 years of his professional life doing defensive securityengineering ranging from designing/implementing obfuscation/anti-tamperingtools, to mucking with mobile security and most recently... Read More →
avatar for Debosmit (Debo) Ray

Debosmit (Debo) Ray

Software Engineer, Uber Technologies, Inc.
Debosmit Ray (Debo) is an engineer on Uber's Product Security team. His most recent work includes extending Uber's data stores to have encryption support, integrating security primitives into various components of Uber's SDLC, infrastructure security and anomaly detection. He received... Read More →

Wednesday April 17, 2019 10:20am - 11:05am HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA