AppSecUSA 2015 has ended
AppSecUSA 2015 - Buy ticket at http://2015.appsecusa.org/buy/
Back To Schedule
Friday, September 25 • 3:00pm - 3:55pm
Providence: rapid vulnerability prevention

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

One challenging aspect of achieving software security is the struggle to catch up with the speed of development and deployment. We built Providence with the goal of preventing obvious bugs from ever being deployed into production.

Providence is a lightweight and scalable tool which finds bugs and anti-patterns of varying complexity from code commits, and we’ve used it to prevent vulnerabilities ranging from XSS, to access control issues, to XXE. It works by continuously monitoring and pulling commits from version control systems and scanning them for bugs with rules defined in plugins. Additional plugins are easy to create and deploy, which has allowed for quick reaction to new bugs or problems as they are discovered.

Providence is easily integrated with SDLC workflows or bug-tracking tools, and we will discuss how we have integrated it in-house in an unobtrusive manner. This model of addressing issues also provides relative immediacy of resolution; on average, potential problems found by Providence are resolved more quickly than other vulnerabilities because developers are presented the issues right after they commit the code, instead of weeks to months later.

We are currently in the process of open-sourcing Providence in order to share the tool with the DevOps/security community (or any interested parties). This talk will cover the internals of Providence, its engine and plugin architecture (including examples of plugins and their ease of creation), as well as its integration with our SDLC and the faster and more efficient responses we’ve achieved as a result. We’re continuing to build new plugins and features, and we’re excited see what ideas others may have in mind!

avatar for Hormazd Billimoria

Hormazd Billimoria

Security Engineer, Salesforce
Hormazd Billimoria is a security engineer at Salesforce with an interest in web security. A long time code and security enthusiast from his high school days, he recently earned his master’s degree from Carnegie Mellon. His past research includes side channel attacks for encrypted... Read More →
avatar for Max Feldman

Max Feldman

Product Security Engineer, Salesforce.com
Max Feldman is a Product Security Engineer at Salesforce, where he focuses on penetration tests of AppExchange partners and security assessments of Salesforce features, as well as the development of security tools and automation. Max has a breadth of security interests and enjoys... Read More →
avatar for Xiaoran Wang

Xiaoran Wang

Senior Product Security Engineer, Salesforce
Xiaoran Wang is a Senior Product Security Engineer at Salesforce. He has spoken several times at conferences such as Black Hat USA, Black Hat Asia, ToorCon, HackerHalted, etc. He is passionate about security, especially web and application security. At work, he does architectural... Read More →

Friday September 25, 2015 3:00pm - 3:55pm PDT
Room D