AppSecUSA 2015 has ended
AppSecUSA 2015 - Buy ticket at http://2015.appsecusa.org/buy/
Back To Schedule
Thursday, September 24 • 1:00pm - 1:55pm
Chimera: Securing a Cloud App Ecosystem with ZAP at Scale

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

One of the biggest challenges in maintaining a cloud application ecosystem with software developed by Independent Software Vendors (ISV's) and Developers is ensuring that data within that ecosystem stays secure. It's impossible for a centralized security team to be responsible for every ISV's product security, code maintenance, etc - yet in the eyes of the public responsibility for the ecosystem lies with that centralized team. With Chimera, we're trying to make that responsibility a little easier to share.

The Salesforce AppExchange has over 2,650 apps available and the majority of them connect to an external web service. Although these external systems are not under our control and are, to us, black boxes, we consider trust in the ecosystem of paramount importance and spend significant time and resources on ensuring the security of these apps. Even with rigorous security auditing and penetration testing by a large security team, that is a huge ecosystem to keep secure.

One of our main goals and missions is to be ambassadors and educators for good security practice to our ISV community as they develop on our platform. Many of these development teams are small groups if not individual developers. While none of them are trying to be insecure, relatively few of them have a security team or security experience.

The goal of Chimera is to make security scanning easier and more accessible for small developers and ISV's who don't have their own security engineers. Learn how we are using the Heroku platform to make ZAP and many other industry-standard tools available through the cloud at scale and at the consumer level with no security expertise required! We'll also discuss some of the tools we are building to make use of data collected by ZAP in the cloud to help predict where future vulnerabilities or exploits may occur within the scanned ecosystem.

avatar for Tim Bach

Tim Bach

Senior Product Security Engineer, Salesforce
Tim Bach is a Senior Product Security Engineer at Salesforce, where he focuses on penetration tests of AppExchange partners and the research/development of security tools and automation. A firm believer that product security is a shared burden for all developers, engineers, and executives... Read More →

Thursday September 24, 2015 1:00pm - 1:55pm PDT
Room A